Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 Jun 2005 03:47:15 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: using John to crack MD5 password with more than 13 characters

Denis has already provided the correct answer to this question, so
I'll only comment on some other related issues:

On Thu, Jun 02, 2005 at 12:03:33PM -0300, Alceu R. de Freitas Jr. wrote:
> I have an web application that uses MD5 and base64
> encoding to protect users passwords.

MD5 (as well as SHA1, etc.) is not intended to be used for password
hashing, and it is quite bad at that, -- unless you wrap it in a
higher-level algorithm which implements salts and multiple iterations
(thousands to millions, -- preferably with the number encoded along
with the hashes).

For applications written in PHP, you can use my PHP password hashing
framework:

	http://www.openwall.com/phpass/

If you've been using plain MD5 and haven't been enforcing very
complicated passwords/passphrases, you should expect 90-99% of the
hashes to be cracked (e.g., with the contributed "raw MD5" support
patch for John), -- because these hashes are really that weak.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ