What is Digg?34 Comments
- tuffy, on 10/12/2007, -0/+5Checksum databases are why hashed passwords should be stored with a random salt. Thus, you store the password as 'salt' + md5sum('salt' + 'password'). Developers who don't do at least that much deserve to be pummeled.
- chachi_arcola, on 10/12/2007, -1/+6To: abuse@digg.com
Dear Digg,
the following post appears to be phishing for passwords:
http://digg.com/security/Is_your_password_secure_
please have a look, and make up your own mind. Also would it be possible to add Phishing to the list of "Report this" values? Spam doesn't really cover this kind of devious post. Many thanks... - SuperJdynamite, on 10/12/2007, -0/+4I've found that the best passwords are actually phrases or complete sentences. Although I haven't rigorously proven this idea mathematically, my phrase-word was one of a handful of passwords that weren't cracked when our sysadmin was testing a password cracking utility that used a huge table of pre-computed hashes.
Intuitively, it might seem that the password "3!qJ6@7Y%e" is harder to crack than "your mother sews socks that smell", but I don't think that's the case. Because of the way hashing works, a dictionary attack won't work against the phrase, even though each of its component words can be found in a dictionary. On the other hand, I feel a pre-computed hash table would be more likely to contain all the random hashes up to a certain length. My point is that using pre-computed hashes, it's easier to break the shorter hash, even though it looks more "complicated" to humans.
There's also a human factors element at work with "complicated" passwords. In systems that encourage users to create short, very complicated passwords, I'm betting the user will actually create the least complicated password that meets the requirements. You'll probably get a lot of passwords that are something to the effect of "!12345a". On the other hand, if a user selects the pass phrase "be sure to drink your Ovaltine", they'll likely remember it and it's more secure than the "complicated" password the system encouraged them to choose. - geminitojanus, on 10/12/2007, -0/+3"wow. their database "is 416Gb, with approximately 98 billion rows.""
Imagine it this way; every time anyone enters a password, it MD5s it and adds it to the database (if it's not already there), and checks to see if there's a reverse available.
So in effect, you're dooming yourself by typing in a password to check.
If you want secure passwords, make sure you use password salts (developers) and a long enough string!!!! - thewebguy, on 10/12/2007, -0/+2don't put your password in here, especially if you use something slightly less than generic. you're just building up a huge password list for someone else.
- Ryosen, on 10/12/2007, -0/+2I thought we only had phish on Friday.
Or am I just being paranoid? - dhughes, on 10/12/2007, -0/+1Damn, you mean "12345" is not a secure password! :P
- cntp, on 10/12/2007, -0/+1if you just type in the MD5 hash, they can't get your password. That's sorda the point of hashes. Now if you are dumb enough to type in your actual password....well yeah, you're a dumbass....
- sxtxixtxcxh, on 10/12/2007, -0/+1i wonder how hard it would be for someone to tie visitor IP addresses with the MD5 queries... my guess? not very.
they now know 30988 passwords for who knows how many IP addresses.
still, it's a useful tool. - Jaxor, on 10/12/2007, -0/+1Database is down..already.
Digg for usefulness! :) - ileadyouth, on 10/12/2007, -0/+1I was waiting for someone to mention a random salt in here - that is much more secure than just the MD5 (and a dictionary attack).....
+1 to tuffy - evertvr, on 10/12/2007, -0/+0Here you can generate a MD5 hash : http://isnoop.net/tools/md5.php
- LucasOman, on 10/12/2007, -0/+0This is why people have been told to use random letters and numbers with a combination of non-alphanumeric characters and random caps. Duh.
I also find that hosting an MD5 repository is irresponsible and can only be used maliciously. I wish someone would DDoS their site, but the only people with botnets are the people lame enough to want to use an MD5 repository.
I'm guessing that the poster owns or works for the site. That's why he told everyone to go there and check their passwords. Scumbag. - sxtxixtxcxh, on 10/12/2007, -0/+0wow. their database "is 416Gb, with approximately 98 billion rows."
- Skrolnik, on 10/12/2007, -0/+0While you're at it, I'm offering a service that checks your credit card number against the random credit card number generator programs that are out there. If the first digit of your Visa card is a 4, you may be at risk.
- inactive, on 10/12/2007, -0/+0you would have to be a total retard to type your password into their form. it's just harvesting to create another dictionary.
- evan410, on 10/12/2007, -0/+0Wow, this is kind of amazing. I went into my forum's database and tried a bunch of the hashes. Not only did my password come back but I was able to obtain the passwords that some of the users used. Thats kind of scary.
- rjstone, on 10/12/2007, -0/+0Everyone who asked "what about salt" gets a + from me.
- ezweave, on 10/12/2007, -0/+0Yeah... this is inaccurate and foolish. Unless you type in the hash, but you can get collisions, so it doesn't really tell you anything (didn't someone just prove this)... this could be phishing or you could phish off of this.
- smeinzer, on 10/12/2007, -0/+0BTW, if you need to figure out the md5 hash for one of your passwords you can enter "md5 -s your_password" on the command line. If you end up finding it it might be smart to change it to something more secure.
- ShaolinTiger, on 10/12/2007, -0/+0***** is worse than my site, 100 diggs and it's out.
- bigdogsteve, on 10/12/2007, -0/+0you guys use passwords?
- milkfilk, on 10/12/2007, -0/+0What about the password as the salt? My guess is that it's not a great technique either... but I don't know how the math works out...
- tackhouse1, on 10/12/2007, -0/+0I agree with what you say, that Jason doesn't have any proof that the site isn't associating IPs with form entries.
But keep these things in mind:
Jason didn't submit his site to Digg
Jason did not ask everyone to "submit their passwords to make sure there not in the database" the submitter did that.
The site lists what Hashes are in the database:
* 1-5 Length: a-z, A-Z, 0-9, !@#
* 6-7 Length: a-z, 0-9
* 8-10 Length: 0-9
His sites goes to great lengths to explain why he is doing what he doing. - JasonRDavis, on 10/12/2007, -1/+1Ok, let me set the record straight. Since most of you are oblivious to what exactly the purpose of md5lookup.com is.
I've been spearheading the site for over 18 months, and all the claims that the site is phishing for passwords are simply that: 'claims'. There is no proof, or grounds for anyone to make that claim, so why were they made? Once again, this site in no way uses phishing or is associated with phishing in any way.
The statistics are comprised of submitted data, but that in no way means that the passwords are being gathered for evil intent. This for one, is not phishing, it's statistical effectiveness and analysis of the technique. For two, no information is kept that would lead back to the submitter. We are not building some huge database of IP addresses and associated passwords. That's ridiculous, and holds no grounds. Where's the proof? Making claims like that are completely idiotic. Please don't label a research site a phishing site because you fail to comprehend the subject matter. That's called ignorance.
Finally, the database is down because of digg.com, and I've updated the search page to reflect that. At first, I thought it was a scripted attack, but after analysis, I came across this topic and realized why all the traffic was being generated. No problem, it'll be back up in a few hours once we get someone to the site to reboot the database server.
Also, the person that submitted md5lookup.com to digg.com in no way is associated w/ the project or website. Nor, did he request my permission to submit the site to digg.com. I walked into my office this morning and went frantic because of a traffic overload. If I had been forewarned, I would have prep'd the servers for the load, and I would have sanctioned the posting. If you have any questions or comments that refer to this project please forward them to my email address, which is located on the website. I'll be happy to clear up any questions you have about the content of the site.
Thanks,
Jason R. Davis
---
Information Security Officer
Dynamic Management Services
www.dynamicmanagement.net - TODDMAN, on 10/12/2007, -0/+0The Digg effect is in full force! Site down!!!
- montek, on 10/12/2007, -0/+0While I appreciate what Jason R. Davis is trying to say about the site, he's missing a key point about phishing by saying "Where's the proof?" in reference to the IP-password association. Sure, they might NOT be associating IPs and whatever folks enter into this form, and are probably not, but they COULD be. And just because one person posts and says that they're not doesn't mean that they are not logging IPs. I can't imagine a web site that doesn't log IPs as a standard practice. And it wouldn't take too much work to reassociate those IPs with searches if they kept track of the dates/times of the searches.
The point being that just saying "Where's the proof?" that you're not doing something bad is equally as blasphemous as folks suggesting that you. Where's the proof that you're NOT doing it? - dankers, on 10/12/2007, -0/+012345!!
I've got the same combination on my luggage!!! - evertvr, on 10/12/2007, -0/+0Lol : " Searching has been disabled due to a power outage." . Why can't they just say they are victims of the digg-effect :P.
- peterjhill, on 10/12/2007, -0/+0yeah.. just to reinforce... pasting in an md5 hash does not give someone your password... hashes are one way. that is the point of a hash... it is an algorithm that takes something, does something to it, and gives you another thing and is repeatable. (the things being "password" "md5 algorithm" and "hash value")
this is different from other ways of storing passwords, like CHAP. That is why many forms of wireless authentication suck, because they require sending passwords in a reversible crypt. - inactive, on 10/12/2007, -0/+0Their new outage message:
Search the Database
Searching has been disabled due to the digg.com effect, someone submitted the site and of course down goes md5lookup, lol. It'll be 3 hours til it's back up, no one can get to the server til then, we need to reboot the database server. Bad digg.com, Bad, Bad, Bad... - Snowknight26, on 10/12/2007, -1/+0Try http://md5.rednoize.com/ instead.
- chachi_arcola, on 10/12/2007, -1/+0Reported Spam.
goony goo hoo
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is