On 22 Sep, John Aldrich wrote:
> Well, you see, that's the beauty of MD5 hashes...it's not encryption,
> per se. :-) IIRC, MD5 creates a "fingerprint" of the password and
> then throws away the password. In the future, if someone wants to
> access something with an MD5 hashed password, the password is
> re-fingerprinted and compared to the existing hash. If it is a 100%
> match, then the person is allowed to go on. If it doesn't match 100%
> then it's rejected and the process starts all over again! :-)
Right, so... does every system using MD5 have a different algorithm
for computing the hash? Thus, my system gets different hashes for the
same password? If not, then you could certainly use a dictionary of
hashes to get his passwords. If so, then you can still use the brute
force crack, assuming you can get ahold of the algorithm that is used to
compute passwords. Right?
Anyway, it's still bad practice to send passwords, even
encrypted/hashcode through e-mail.
-Matt Stegman
<[EMAIL PROTECTED]>
