Cameron Childress wrote: > > How likely are collisions? Assuming that MD5 uses a 36 character set (it > appears to) for it's output, and it's 32 characters long, that would be a > maximum of 36^32 (6.3340286662973277706162286946812e+49 per my windows calc) > possible hash values you'd have to run through before your brute force > attack would work.
With a returned 128 bit hash and under the assumption that the likehood of each generated hash is equal the expected amount if strings one would need to test to find something that generates the same hash is 2^127 (1.7e+38). However, the likehood of somebody using a set of more as 75 different characters (2*26 letters, 10 numbers and some more) in a password is quite small. Combine this with the likehood of a password being longer as 12 characters and the amount of possible passwords is about 3.16^22 (75^12, maybe 62^8 is better but doesn't really matter for the argument). This means that 1.58e+22 is the expected amount of tries before finding the password. Conclusion: the password itself has less entropy as the hash potentially has. I would improve the password quality before worrying about the hash. Jochem ______________________________________________________________________ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
