

Whitepixel v2 now brute forcing 33.1 billion password/sec - mrb
http://blog.zorinaq.com/?e=43

======
ique
I suppose that means if someone managed to get their hands on a database with
MD5 hashed password and we disregard the time it takes to query the harddrive
for a match; it could (stupidly) brute-force it's way to any 5 character
password consisting of a-Z, 0-9 and !"#€%&/()=?+ in about 0.06 seconds. Or a 6
character password just under a minute.

That's pretty impressive.

~~~
dedward
Then again, anyone who works on md5 password "cracking" for a living would
likely already have the set of all 5 character printed passwords hashed and
sitting in a database ready for recall with no need to speedily crank through
them.

~~~
nomis80
To understand why your comment does not make sense, please read this:

<http://en.wikipedia.org/wiki/Salt_%28cryptography%29>

~~~
astrodust
There have been an embarrassing number of cases where an application has used
the same default salt on all passwords.

------
kondro
This is very impressive.

Think of all the BitCoins they could create with a setup like that (I get an
average of 50 coins every 26 minutes with
<http://www.alloscomp.com/bitcoin/calculator.php>).

At a current market value of about USD$0.22 per coin, this equates to about
USD$25/hour.

Of course, BitCoin uses SHA256, but how much different from MD5 can that be?

~~~
Tichy
Hm, there is a market value for bitcoins? 25$/hour sounds like a very good
deal - as long as power consumption is less, it is a license to print money?

Maybe this is the final incentive for me to look into EC2...

~~~
dedward
I'm not a bitcoins expert - but wouldn't any jump in the availability of
bitcoins necessarily cause deflation, as with any currency?

If someone finds a way to generate,say, 5x more bitcoins that what the average
expected amount is - they have a temporary advantage, but once those coins hit
the market, the market is diluted and will quickly catch up.

Bitcoins has replaced mining gold with generating bitcoins - so it will be
harnessing server infrastructure and good code / math -vs- digging big holes
in the ground.

~~~
Zaak
That's true. Also, as more computing power is added to its network, the
difficulty of the hashing problem is increased to maintain the bitcoin
creation rate at about 50 per ten minutes.

------
dedward
Let's stop calling it brute-forcing - it's really not - or at least not
calling it decrypting.

~~~
endtime
Here are the usage instructions...sure sounds like brute force to me. Perhaps
you could explain why it isn't?

    
    
        Usage: ./whitepixel [OPTION]... [<hash>]
    
        Main arguments:
    
          -c <charset>    Generate candidate passwords using the specified charset
         which can be:
                            lower  Lowercase
                            upper  Uppercase
                            digit  Digits
                            print  Printable ASCII characters and space [0x20-0x7e]
                            all    All bytes [0x00-0xff]
                          (default: lower)
          -l <length>     Attack passwords of this length (default 5)
          <hash>          MD5 hash to attack (default 00...00)

------
binarymax
What is the minimum safest length when using MD5? I remember seeing 14
somewhere but I cant find the citation. Not forcing everyone to use 14 chars
of course but adding salt.

~~~
rmc
Don't use MD5.

This only gets faster, not slower. No matter how much you salt your passwords,
soon they will be able to crack your passwords fast enough. And soon there
will be rainbow tables of salts.

~~~
rorrr
That's just not true. If your salt is 1000 characters long, they will need
more energy than the whole universe has to bruteforce it.

~~~
ent
the point of adding a salt to the passwords is not to make decrypting the
individual passwords harder - the salts are kept in plaintext - but to make it
impossible to prevent the use of rainbow tables. that is, having longer salts
will only make it harder for finding out all the people with the same
password.

~~~
rorrr
That's assuming hacker knows the salt, which is not always the case.

------
Tichy
Passwords and MD5?

~~~
mrb
Microsoft is worse: passwords and MD4.

(Windows' newest password hashing algorithm, NTLM, is just a plain MD4 hash of
the password. I estimate my 4x5970 machine can crack NTLM hashes at a rate of
about 45 billion per second.)

~~~
tedunangst
Calling it Microsoft's newest algorithm is very misleading. Microsoft have
themselves deprecated NTLM and recommend Kerberos.

Technically, NTLM will always be the "newest" unless they invent something
newer, but it doesn't mean you need to use it.

~~~
mrb
And Microsoft's Kerberos implementation (AD) hashes passwords on the domain
controller using... NTLM!

How am I misleading?

