[21535] in bugtraq
Re: Messenger/Hotmail passwords at risk
daemon@ATHENA.MIT.EDU (Martin Macok)
Mon Jul 16 13:10:41 2001
Date: Mon, 16 Jul 2001 11:02:35 +0200
From: Martin Macok <martin.macok@underground.cz>
To: Gaurav Agarwal <gaurav_11878@hotmail.com>
Cc: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>, BUGTRAQ@securityfocus.com
Message-ID: <20010716110235.B953@sarah.kolej.mff.cuni.cz>
Mail-Followup-To: Gaurav Agarwal <gaurav_11878@hotmail.com>,
Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>,
BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
In-Reply-To: <OE63kieqXItMcx4vvsG000072b7@hotmail.com>; from gaurav_11878@hotmail.com on Wed, Jul 11, 2001 at 09:56:29AM +0530
Content-Transfer-Encoding: 8bit
On Wed, Jul 11, 2001 at 09:56:29AM +0530, Gaurav Agarwal wrote:
> > > Uh huh. So you are saying that, given MD5(password), password
> > > may be recovered by brute force. And this is new/interesting in
> > > what way?
> >
> > The interesting thing is he can (allegedly) do it at 2.5e6
> > tries/second on an affordable machine. Being able to exhaust all
> > combinations of 8 digits and lowercase letters within 2 weeks
> > makes such an attack much more practical.
>
> The claim that he makes is surely interesting. I tried running the
> md5crack on my system which is a linux6.1 Intel pentium 3 733 MHz
> and I was able to get around 1/100 of what he claims. Although he
> uses a 1GHz AMD can the performances be so different ???
I'm not sure which "md5crack" you're using. I use "mdcrack" from
http://mdcrack.multimania.com/ and you can see it's performance on
http://mdcrack.multimania.com/nsindex.html#performance
CPU / hashes/s
PII 350 Mhz -> 1 145 000
Athlon 1 Ghz -> 2 676 400
PIII 752 -> 2 031 292
etc.
On my system
Red Hat 7.1 Linux / kernel-2.4.3-12 / gcc-2.96-85 / AMD Athlon 850
mdcrack reports ~2e6 hashes/sec.
Have a nice day
--
Martin Mačok
underground.cz
openbsd.cz
