Date: Sat, 4 Jun 2005 03:47:15 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: using John to crack MD5 password with more than 13 characters Denis has already provided the correct answer to this question, so I'll only comment on some other related issues: On Thu, Jun 02, 2005 at 12:03:33PM -0300, Alceu R. de Freitas Jr. wrote: > I have an web application that uses MD5 and base64 > encoding to protect users passwords. MD5 (as well as SHA1, etc.) is not intended to be used for password hashing, and it is quite bad at that, -- unless you wrap it in a higher-level algorithm which implements salts and multiple iterations (thousands to millions, -- preferably with the number encoded along with the hashes). For applications written in PHP, you can use my PHP password hashing framework: http://www.openwall.com/phpass/ If you've been using plain MD5 and haven't been enforcing very complicated passwords/passphrases, you should expect 90-99% of the hashes to be cracked (e.g., with the contributed "raw MD5" support patch for John), -- because these hashes are really that weak. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.