On Thu, 23 Sep 1999, Steve Philp wrote:
> [EMAIL PROTECTED] wrote:
> >
> > On 22 Sep, John Aldrich wrote:
> > > Well, you see, that's the beauty of MD5 hashes...it's not encryption,
> > > per se. :-) IIRC, MD5 creates a "fingerprint" of the password and
> > > then throws away the password. In the future, if someone wants to
> > > access something with an MD5 hashed password, the password is
> > > re-fingerprinted and compared to the existing hash. If it is a 100%
> > > match, then the person is allowed to go on. If it doesn't match 100%
> > > then it's rejected and the process starts all over again! :-)
> >
> > Right, so... does every system using MD5 have a different algorithm
> > for computing the hash? Thus, my system gets different hashes for the
> > same password? If not, then you could certainly use a dictionary of
> > hashes to get his passwords. If so, then you can still use the brute
> > force crack, assuming you can get ahold of the algorithm that is used to
> > compute passwords. Right?
>
> You're forgetting the salt which is combined with the password to create
> the hash.
Yeah, there are 4096 Possible Salts in the UNIX system, so multiply that #
of time needed by 4096 and you'll figure it all out.
>
> > Anyway, it's still bad practice to send passwords, even
> > encrypted/hashcode through e-mail.
>
> Agreed.
Agreed, unless you GNU-PG or PGP it then its okay :)
> --
> Steve Philp
> Network Administrator
> Advance Packaging Corporation
> [EMAIL PROTECTED]
>
