[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Repository Passwords are in clear text?

From: Paul Koning <pkoning_at_equallogic.com>
Date: 2005-11-17 16:04:12 CET

>>>>> "Greg" == Greg Thomas <thomasgd@omc.bt.co.uk> writes:

 Greg> On Thu, 17 Nov 2005 09:31:25 -0500, Paul Koning
 Greg> <pkoning@equallogic.com> wrote:

>> Of course all this means that, given the choice, you definitely
>> should consider avoiding MD5. But it does not mean that the wild
>> assertion "MD5 is easily broken by brute force" has any merit.

 Greg> This is all getting horrible off topic, but AIUI the service
 Greg> offered at http://www.rainbowcrack-online.com/ /does/ allow you
 Greg> to brute force 7 and 8 char passwords. They have already hashed
 Greg> them all, and do a hash to password look up (of course, it may
 Greg> not be the /same/ password, but it's still a password that
 Greg> hashes to the same hash as the password you're looking
 Greg> for). For example, at http://www.rainbowcrack-online.com/?x=md5
 Greg> they suggest that their 8-char password table is 49GB big, and
 Greg> takes 18 minutes to search.

 Greg> OK, so it won't help if your password is bigger than 8 chars.

 Greg> I'm happy to be corrected if my understanding is incorrect,
 Greg> though.

It's a case of wrong terminology. "Brute force" normally means attack
on an arbitrary value by computing all the possibilities. Brute force
on MD5 takes O(2^127) operations, just as brute force on DES takes
O(2^55) operations. So the brute force attack on DES is feasible, the
one on MD5 is not.

The work on hash collisions indicates weaknesses in MD5 that -- IF
exploitable, which they aren't currently -- would offer attacks faster
than brute force.

What Rainbowcrack is offering is not a brute force attack, it's a
dictionary attack. That works for any system in which the protected
data does not involve any variables other than the password. (For
example, you can trivially defeat a dictionary attack by including a
*sufficiently long* "salt" into the password hash.)


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Nov 17 16:10:23 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.