本站首页    管理页面    写新日志    退出


«July 2025»
12345
6789101112
13141516171819
20212223242526
2728293031


公告
 本博客在此声明所有文章均为转摘,只做资料收集使用。

我的分类(专题)

日志更新

最新评论

留言板

链接

Blog信息
blog名称:
日志总数:1304
评论数量:2242
留言数量:5
访问次数:7567962
建立时间:2006年5月29日




[MySQL]数秒钟之内破解MySQL的MD5函数
软件技术

lhwork 发表于 2007/1/19 9:31:19

As per the documentation on MySQL I moved the storage of passwords from using Password() to using MD5(). I read a number of places that stated that this was a method that couldn't be reversed and it was far more secure than the previous method. I was feeling confident that life was about to get a little more secure. While going through my daily RSS feeds and mailing lists for SpikeSource, I happenned upon a thread about someone discussing how easy it was to break MD5 hashes. It was a simple matter of using a brute force algorithm to check all the different combinations. Eager to try this out for myself, I did a quick Google and found a Project RainbowCrack which was a Windows/Linux utility that would brute force crack MD5 hashes amongst other secure algorithms. Thinking it would be shrouded in mathematical terms and phrases unfamiliar to me I didn't hold out much hope that I could get it to do what I wanted; to take a sample of passwords that were stored in MySQL database tables using the MD5() function and crack them for me. The project builds a number of lookup tables to make the whole process a lot quicker. This in all fairness only took about 18hours to complete on my dual processor 3GHZ machine. After the tables where built it was a simple matter of running a simple command line utility to crack the MD5 hash. Time taken? 1.26seconds! That's how secure MySQL passwords encoded with MD5() are at this precise moment. Some sample output from RainbowCracke:\rainbowcrack-1.2-win>rcrack *.rt -h 7694f4a66316e53c8cdd9d9954bd611d md5_loweralpha#1-7_0_2100x8000000_all.rt: 128000000 bytes read, disk access time: 6.23 s verifying the file... searching for 1 hash... plaintext of 7694f4a66316e53c8cdd9d9954bd611d is qlkjalkj cryptanalysis time: 1.52 s statistics ------------------------------------------------------- plaintext found: 1 of 1 (100.00%) total disk access time: 6.23 s total cryptanalysis time: 1.52 s total chain walk step: 403651 total false alarm: 388 total chain walk step due to false alarm: 579374 result ------------------------------------------------------- 7694f4a66316e53c8cdd9d9954bd611d qlkjalkj hex:71 So really, the only reason to store passwords using MD5() would be to discourage the casual hacker, but it is by no means a secure method as some sites would have you believe. It is fair to note that the RainbowCrack documentation states that salted MD5 hashes can't be broken, but MySQL doesn't salt their implementation so it makes no difference here.


阅读全文(3089) | 回复(0) | 编辑 | 精华
 



发表评论:
昵称:
密码:
主页:
标题:
验证码:  (不区分大小写,请仔细填写,输错需重写评论内容!)



站点首页 | 联系我们 | 博客注册 | 博客登陆

Sponsored By W3CHINA
W3CHINA Blog 0.8 Processed in 0.109 second(s), page refreshed 144775841 times.
《全国人大常委会关于维护互联网安全的决定》  《计算机信息网络国际联网安全保护管理办法》
苏ICP备05006046号