So I was looking around for a Web service that could take a string of text and return an MD5 Hash of that string, and I found something disturbing.
An MD5 Hash is a big number that is generated by doing crazy math on the original information. It has two good qualities – when you start with the same text you always get the same result, and it’s pretty much impossible to tell what the text was from the number.
A lot of places store the hash of your password, rather than the password itself. When you type in your password, it’s hashed, and the resulting number is sent over the wire. If the number matches the one in their database then you’re in.
But there is one way to crack the hash I hadn’t considered: keep a database of known strings and the resulting hash. It had never occurred to me to try to keep a table so huge, but with access to this information you could pretty easily crack passwords that lots of people use.
In my search for a hashing service, I came across one such Web site. Also on that site: a service to generate a hash for you. The message: “Hey! We keep a database of hashes to render them useless! You want us to calculate a hash for you?”
Um… No thanks?
At this point, I have to advise, stay away from Web-based hash generators. I know you were about to go and use one.