[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

MD5 crack and passwords

It is not always enough or required to find something that has the right
hash value. With windows a modified client can authentication just by
knowing the hash value (and there is no salt). [Windows does not use
MD5, but that is beside the point.]

What I have implemented on the web requires knowledge of a RSA private
key, like NIS+. The normal way to get this is to compute MD5 of the
password and salt, and use this to decrypt the server's encrypted
version. Using an inverse MD5 genie to attack this scheme seems a little
silly. You do not need to be authenticating over an insecure network to
implement this but it helps :-)

It is perhaps worth noting that the two public byte sequences are *very*
similar, so it might be possible to do this trick within the limits of a
trojanised binary. Without more information nobody can say.

Reply to: