Cybersecurity

9943 readers

158 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

166

60% of MD5 password hashes are crackable in under an hour (www.theregister.com)

submitted 2 days ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

41 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Jesus_666@lemmy.world 1 points 1 day ago

In my comment, '"cracking" referred to finding a password that matches the hash. That's common nomenclature. The found password doesn't have to be the original password but it's rather likely at the string lengths involved, especially since Kaspersky used a dictionary to back the attack.

Also, you wouldn't use a hashing function where a large number of inputs of a usual password length turn into the same hash. That would just make all passwords weaker. The point of hashing a password is to store something that (ideally) uniquely matches the correct password but can't be used to easily derive the password.

The factor of 1000 I gave was a very rough ballpark number. I couldn't find any good comparison between the actual throughput of MD5 and bcrypt or Argon2. And yes, a single round of SHA256 would be cracked quickly; it's much less work-intensive than Argon2 and even has dedicated hardware acceleration in modern CPUs. Argon2 with a high work factor is vastly more resistant than MD5 and SHA256.

Also, salting doesn't protect against brute force and enhanced dictionary attacks. The salt is stored with the password so the attacker knows it. It only protects against rainbow tables. Pepper protects against offline cracking.