Crack the MD5 function of MySQL within several seconds

Source: Internet
Author: User
Tags md5 hash
As per the documentation on MySQL I moved the storage of passwords from using password () to using MD5 (). I read a number of places that stated that this was a method that couldn't be reversed and it was far more secure than the previous method. I was feeling confident that life was about to get a little more secure. while going through my daily RSS feeds and mailing lists for spikesource, I happenned upon a thread about someone discussing how easy it was to break MD5 hashes. it was a simple matter of using a brute force algorithm to check all the different combinations.

Eager to try this out for myself, I did a quick Google and found a project rainbowcrack which was a Windows/Linux utility that wocould brute force crack MD5 hashes amongst other secure algorithms. thinking it wocould be shrouded in mathematical terms and phrases unfamiliar to me I didn't hold out much hope that I cocould get it to do what I wanted; to take a sample of passwords that were stored in MySQL database tables using the MD5 () function and crack them for me.

The project builds a number of lookup tables to make the whole process a lot quicker. this in all fairness only took about 18 hours to complete on my dual processor 3 GHz machine. after the tables where built it was a simple matter of running a simple command line utility to crack the MD5 hash. time taken? 1.26 seconds! That's how secure MySQL passwords encoded with MD5 () are at this precise moment.

Some sample output from rainbowcrack

e:/rainbowcrack-1.2-win>rcrack *.rt -h 7694f4a66316e53c8cdd9d9954bd611dmd5_loweralpha#1-7_0_2100x8000000_all.rt:128000000 bytes read, disk access time: 6.23 sverifying the file...searching for 1 hash...plaintext of 7694f4a66316e53c8cdd9d9954bd611d is qlkjalkjcryptanalysis time: 1.52 sstatistics-------------------------------------------------------plaintext found:          1 of 1 (100.00%)total disk access time:   6.23 stotal cryptanalysis time: 1.52 stotal chain walk step:    403651total false alarm:        388total chain walk step due to false alarm: 579374result-------------------------------------------------------7694f4a66316e53c8cdd9d9954bd611d  qlkjalkj  hex:71

So really, the only reason to Store Passwords using MD5 () wocould be to discourage the casual hacker, but it is by no means a secure method as some sites wowould have you believe. it is fair to note that the rainbowcrack documentation states that salted MD5 hashes can't be broken, but MySQL doesn't salt their implementation so it makes no difference here.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.