|
|
Posted by Chris Shiflett on 06/13/05 19:19
Murray @ PlanetThoughtful wrote:
> The app in question was storing the md5 value of 4-digit PINs in the
> background database, and the owners of the app were quietly confident that
> this meant the PINs were 'encrypted' and 'secure'.
Amazing.
Thanks for sharing that. It's a great example. :-)
> Of course, there are only 10,000 possible PIN values between 0000 and 9999,
> regardless of whether or not they're stored in plaintext or md5 hashed form,
> and I guess it took me less than 15 minutes to build a reference table of
> all md5 hash values for the possible plaintext PINs and therefore
> effortlessly retrieve the plaintext PIN values from their table.
There are efforts to create these types of tables for arbitrary strings:
http://md5.rednoize.com/
Of course, it's worth noting that these methods aren't reversing MD5.
> Md5 is a very handy way of 'securing' [1] password information, but only
> when the plaintext value offers enough possible variation in length and / or
> value to make building a 'possible variations' lookup table a difficult
> proposition.
Exactly, and this is why it's a good practice to use a seed when you
generate MD5s for passwords.
Thanks again for the story, frightening as it was. :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
Navigation:
[Reply to this message]
|