Re: Repository Passwords are in clear text?

On Thu, 17 Nov 2005 09:31:25 -0500, Paul Koning
<pkoning@equallogic.com> wrote:

>1. Given a message with hash X, it is infeasible to find a different
> message that also has hash X.
>2. It is infeasible to find two messages with the same hash.
>
>#2 is stronger than #1. The weakness that has been discovered relates
>to #2. But #1 is the one most critical to hash-based security
>schemes, and that one still stands.
>
>Of course all this means that, given the choice, you definitely should
>consider avoiding MD5. But it does not mean that the wild assertion
>"MD5 is easily broken by brute force" has any merit.

This is all getting horrible off topic, but AIUI the service offered
at http://www.rainbowcrack-online.com/ /does/ allow you to brute force
7 and 8 char passwords. They have already hashed them all, and do a
hash to password look up (of course, it may not be the /same/
password, but it's still a password that hashes to the same hash as
the password you're looking for). For example, at
http://www.rainbowcrack-online.com/?x=md5 they suggest that their
8-char password table is 49GB big, and takes 18 minutes to search.

OK, so it won't help if your password is bigger than 8 chars.

I'm happy to be corrected if my understanding is incorrect, though.

Greg

-- 
This post represents the views of the author and does
not necessarily accurately represent the views of BT.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org