How Secure is Your Password? Rainbow Tables Online
Wow, just wow, came across http://xdecrypt.com/ the other day, it’s a huge online resource full of hash values and their corresponding plain text strings.
Like most people, I am human and don’t have a limitless brain for remembering secure and one off passwords, so I tend to recycle about a dozen. Dependant on how damaging access to the site would be depends on what password I use. Also I don’t like pointing accounts to other accounts (ie registering on forums with the same password as the mail account etc) just common sense I guess. My passwords are on a sliding scale of complexity, sometimes I’ll apply a unique salt myself, but not always.
Any way I digress. Interesting website I thought, lets see how good it is.
I have a C# program on a virtual machine which converts strings to hash values (did it for a separate project a few years ago, I must get around to posting something about it was quite interesting, all to do with salf values and the like).
So I started this program up and generated a few hash values for passwords I know are quite common (ie ‘password’, ‘qwerty’, ‘password123’ and the like). Copied and pasted onto http://xdecrypt.com/, and unsurprisingly it got them all.
Ok I thought, lets toughen it up a bit. So I converted my lower security passwords into MD5 hashes. Half of them with their corresponding plain texts came up. Was a little surprised but not massively, saying these passwords are not found in a dictionary and are not combined words.
So the next level up with my medium passwords, didn’t get any of them thank goodness!
I dare say though it will just be a matter of time…
Which lead me on to two little comments.
Firstly if you have a database online with passwords in it, please apply a salt value. It’s not hard, and will make someone getting a hold of your user table with all their hashed passwords quite a bit more difficult to go and hijack their Facebook account if that person uses the same passwords.
Second, Google have started uses two or even three factor authentication, Facebook does something even more interesting (if you log on from a different country it will get you to identify your friends via pictures very clever). So my point is can we make multiple factor authentication easier to implement please.
Third, and most importantly as webmasters and IT Professionals please lets hash our password tables!
6 Comments
[…] by gyp on September 16, 2011 in internet with No comments Tweet I’ve noticed that my page about xdecrypt.com has picked up quite a lot of traffic with people asking the same question, so I’ve decided to […]
[…] recent post that is gaining popularity is describing what xdecrypt.com is. For quite a new article it really is making it into the top ten very quickly. I put that down […]
Hey, my name came up on this, what does this all mean? What exactly do the numbers on the left mean, am I at risk by this?
Hi Jude,
In a nutshell Xdecrypt use a program that searches the web for words and then converts them into a mathematical representation that is unique for that word. This is process is called a ‘hash’.
The numbers on the left represent what your name is with this mathematical representation on the same line.
My own belief on this one is that no you are not at risk if your name is listed on the site. If your password was on there I would be slightly more worried, but not necessarily a huge amount.
There’s a big pile of questions in the comments section on the bottom of the what xdecrypt is, and many people have asked the same question as you 🙂
There is also a new part on the xdecrypt site itself explaining how they go about getting their words in which to convert into the hashs.
If I can be any further help please don’t hesitate to ask 🙂
Gyp
How do you apply a salt value to a password?? I googled this but I don’t understand. What is it and how do I do it? Thanks!
This isn’t something that you as a user would usually worry about, it’s more the guys who develop software.
However saying that you can quite easily salt your own passwords 🙂 For instance if you want to use the password “Password1” on say the website “companya.com”, you could make your password “companya.com.Password1”. As long as your password is hashed and not saved in plain text it should make it a lot more secure for you.
Hope this answers your question, if you need any more help I will try as best I can.
Gyp