Quote:
Originally Posted by nhawk
People need to remember that MD5 is a one way hash, it can't be decrypted into plain text.
MD5 was found to be insecure for things like security certificates and the like because of the possibility of a collision (duplicate MD5 hashes). It had nothing to do with password storage. Or at least I never saw anything about passwords and MD5 except to warn that the MD5 hash needs to be properly salted.
|
That's exactly why it shouldn't be used for passwords, especially if you have unlimited number of guesses, because you have offline access to the hash values by downloading the user table, to find a collision. Say your password gets hashed to 12345 in the db, then to brute force your password if I have the hash is just a matter of finding a collision on the hash value of 12345 and I can use the "word" that caused the collision to access your account.
Quote:
There are only two ways someone can get the password for vB. One is by brute force. Or more commonly known as guessing until the password guessed equals the MD5 hash. The other, more common way is for someone to use the same password on multiple sites, the clear text password is stolen and then used to access other sites.
|
Technically both of those are brute force, most brute force algorithms try common words or passwords of a particular length before trying all other combinations of that length. As I previously pointed out if someone has accessed the db and has all the hashes then there's no 5 attempts and locked out for 15 minutes preventing brute force attacks to find a collision.