Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the big deal with brute force on hashes like MD5

I just spent some time reading https://stackoverflow.com/questions/2768248/is-md5-really-that-bad (I highly recommend!).

In it, it talks about hash collisions. Maybe I'm missing something here, but can't you just encrypt your password using, say, MD5 and then, say, SHA-1 (or any other, doesn't matter.) Wouldn't this increase the processing power required to brute-force the hash and reduce the possibility of collision?

like image 667
Jan K. Avatar asked Jun 09 '10 21:06

Jan K.


People also ask

Why MD5 is no longer recommended for use?

Although originally designed as a cryptographic message authentication code algorithm for use on the internet, MD5 hashing is no longer considered reliable for use as a cryptographic checksum because security experts have demonstrated techniques capable of easily producing MD5 collisions on commercial off-the-shelf ...

Can you brute force a hash?

Brute force is also used to crack the hash and guess a password from a given hash. In this, the hash is generated from random passwords and then this hash is matched with a target hash until the attacker finds the correct one.

How long does it take to brute force MD5 hash?

How long does it take to crack MD5 passwords? With the current technology, it takes a computer 8 hours to crack a complex 8-characters password (numbers, upper and lowercase letters, symbols).

Why are brute force attacks always successful?

The biggest advantages of brute force attacks is that they are relatively simple to perform and, given enough time and the lack of a mitigation strategy for the target, they always work. Every password-based system and encryption key out there can be cracked using a brute force attack.


1 Answers

First of all md5 and sha1 are not encryption functions, they are message digest functions. Also most hashes are broken in real world using dictionary attacks like John The Ripper and Rainbow Crack.

John The Ripper is best suited for salted passwords where the attacker knows the salt value. Rainbow Crack is good for passwords with small unknown salts and straight hashes like md5($pass).

Rainbow Crack takes a long time to build the tables, but after that passwords break in a matter of seconds. It depends on how fast your disk drives are.

like image 175
rook Avatar answered Dec 02 '22 03:12

rook