Wow, just wow, came across http://xdecrypt.com/ the other day, it’s a huge online resource full of hash values and their corresponding plain text strings.
Like most people, I am human and don’t have a limitless brain for remembering secure and one off passwords, so I tend to recycle about a dozen. Dependant on how damaging access to the site would be depends on what password I use. Also I don’t like pointing accounts to other accounts (ie registering on forums with the same password as the mail account etc) just common sense I guess. My passwords are on a sliding scale of complexity, sometimes I’ll apply a unique salt myself, but not always.
Any way I digress. Interesting website I thought, lets see how good it is.
I have a C# program on a virtual machine which converts strings to hash values (did it for a separate project a few years ago, I must get around to posting something about it was quite interesting, all to do with salf values and the like).
So I started this program up and generated a few hash values for passwords I know are quite common (ie ‘password’, ‘qwerty’, ‘password123′ and the like). Copied and pasted onto http://xdecrypt.com/, and unsurprisingly it got them all.
Ok I thought, lets toughen it up a bit. So I converted my lower security passwords into MD5 hashes. Half of them with their corresponding plain texts came up. Was a little surprised but not massively, saying these passwords are not found in a dictionary and are not combined words.
So the next level up with my medium passwords, didn’t get any of them thank goodness!
I dare say though it will just be a matter of time…
Which lead me on to two little comments.
Firstly if you have a database online with passwords in it, please apply a salt value. It’s not hard, and will make someone getting a hold of your user table with all their hashed passwords quite a bit more difficult to go and hijack their Facebook account if that person uses the same passwords.
Second, Google have started uses two or even three factor authentication, Facebook does something even more interesting (if you log on from a different country it will get you to identify your friends via pictures very clever). So my point is can we make multiple factor authentication easier to implement please.
Third, and most importantly as webmasters and IT Professionals please lets hash our password tables!