09-01-2009, 06:33 PM
|
#16 (permalink)
|
|
The Wanderer
Join Date: Sep 2009
Posts: 15
Thanks: 4
|
Quote:
Originally Posted by Village Idiot
MD5 will always output a base-16 number, so the criteria it could meet does not change one bit when you scramble the value first. If you are going to brute force MD5, you have to start from 0000000.... and end at ffffff... because the values are not reversible and near values do not resemble each other ("hello" and "Hello." are completely different).
How is there a bigger risk if collision with a simple salt?
|
Now, that's not true about the brute-forcing. Normally you start with the most common signs varying from the ASCII code 32 (space) until 126 (~). Everything else is not being used (yet) in the common brute-force tools. For instance they start with aaaaaaa, aaaaaab and so on. Normally they don't start with NULNULNULNULNUL.
Using the following code:
PHP Code:
<?php
$salt = pack('H*', md5('Mysecretpassword'));
you will create this kind of salt:
Quote:
5]�~gRF—¿ �œÁ¶Ô�
Which is with ord(): ord(53) ord(93) ord(22) ord(126) ord(103) ord(82) ord(70) ord(151) ord(191) ord(13) ord(4) ord(156) ord(193) ord(182) ord(212) ord(14)
|
which is way tougher to brute-force than a salt like:
because you use rare ASCII signs/representations.
About the risk with a simple salt: That's not what I meant :) I mean, there is always a risk that there occurs a collision. |
|
|
|