On Thu, 23 Sep 1999, you wrote:
>
> Right, so... does every system using MD5 have a different algorithm
> for computing the hash? Thus, my system gets different hashes for the
> same password? If not, then you could certainly use a dictionary of
> hashes to get his passwords. If so, then you can still use the brute
> force crack, assuming you can get ahold of the algorithm that is used to
> compute passwords. Right?
>
I think it's a LITTLE more complicated than that, but it's
still pretty darn difficult to even THINK about cracking.
After all it's a 128-bit "fingerprint." Here's part of the
man page for md5sum:
md5sum produces for each input file a 128-bit
"fingerprint" or "message-digest" or it can
check with the output of a former run
whether the message digests are still the same
(i.e. whether the files changed).
>
> Anyway, it's still bad practice to send passwords,
> even encrypted/hashcode through e-mail.
>
Agreed. :-) My point was basically that, even with the
"extra cpu time" out there it's going to be a LONG time
before someone can crack a 128-bit hashcode. However, your
point of someone being able to run a dictionary through
md5sum and come up with a hash table for "known words" is a
good argument for NOT using "dictionary words." ;-)
John