md5 hashes not so safe after all...

[Pieter]

This is scary...



Many sites rely on the md5 algorithm to secure their users' passwords. Well, there's this site that allows you to decrypt md5 hashes. That's right, you can decrypt passwords with this tool! Could this be the end of md5?

To put this into perspective: this site relies on database of md5 hashes but they keep indexing random strings. Passwords with up to three characters or five numbers can be decrypted with ease. My guess is that if I were to check back in a few months, you could decrypt just about any password with up to five characters. And that's creepy. Before you know it, you can decrypt any password using their md5 decryptor...

Site: http://md5.rednoize.com/

Some random tests:
21232f297a57a5a743894a0e4a801fc3 - CRACKED (admin)
5f4dcc3b5aa765d61d8327deb882cf99 - CRACKED (password)
33c5d4954da881814420f3ba39772644 - CRACKED (crackme)
ec79d4bed810ed64267d169b0d37373e - CRACKED (8612)
61ebd641ffb9b13f2b3163677ef58b0a - CRACKED (2w9)
2eaa8683175fa19f2710707e793b1f04 - FAILED (2w9ss)
68dc6cbea6ddad512bc670c0df5c0804 - CRACKED (23984)
22604bba610abedf926b74646008896f - FAILED (613593)
031e174662676c05db4e019eaaa4de3d - FAILED (65151611)
e425adc17b1e4feed1dc295b82d16cbd - FAILED (crackme123)
80e48c2df0e639b36cf2a2a75cbd8fdb - FAILED (imahacker)

[xpgeek]

Well, for the time being, those are pretty simple passwords its managed to crack. My passwords are ALOT more complex then that.

[Ryan Wagner]

My passwords consist of upper & lowercase letters, numbers, and symbols (although a lot of sites don't accept symbols in the password). So I don't think that it will be getting mine anytime soon. But that is indeed scary because it gives hackers an even easier way to make use of databases that they hack online.

[Pieter]

And you know what's about to happen, right? In a few years, they'll be able to crack just about any twelve-character password. We'd better work on a safer algorithm before that happens.

[tafkajp]

Will we still be using passwords in a few years?  Fingerprint scanners, voice and facial recognition, or retina scans could be used in the future on a widespread basis in place of, or in addition to, alphanumeric passwords. 

taf

[Pieter]

The problem with face/finger/eye recognition is that it's not always accurate. The number of false positives (i.e. don't letting you in when you should be able to do so) and false negatives (i.e. letting strangers in) is too high. By contrast: the total number of false positives and negatives that ever occurred in our current password system is 0. Ah well, there are two sides to every penny as usual.

[Ryan Wagner]

I definitely don't think that face/finger/eye recognition will be becoming popular anytime soon. Especially the fingerprint one:

<a href="http://youtube.com/v/LA4Xx5Noxyo" target="_blank">http://youtube.com/v/LA4Xx5Noxyo</a>

[sale]

great tool, but it is not working

[Ryan Wagner]

great tool, but it is not working

It won't work for every hash, but still appears to be up and running.