[3865] in cryptography@c2.net mail archive
Re: MD5
daemon@ATHENA.MIT.EDU (Bill Stewart)
Mon Dec 28 11:27:29 1998
Date: Sun, 27 Dec 1998 22:57:32 -0800
To: Cryptography List <cryptography@c2.net>, Andrew Maslar <amaslar@home.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <19981225102756.18959@slack.lne.com>
>> md5(x) + md5(x + y + z)
...
>You really want to ask "how hard would be for an attacker
>to compute y?".
}} ...Or y' which gives the same result....
It depends a lot on how long y is, and somewhat on x and z are.
If y is a wimpy password, it's pretty easy ("wimpy" being a highly
precise definition, of course :-). Basically, anything in a
not very long dictionary is pretty easy to search with a (surprise!)
dictionary search, so typical common-password dictionaries of
~~100K common English words and common names are easy targets,
and some few million easily-derived spelling modifications,
reversals, and capitalizations, plus a few million short sets
of letters not necessarily drawn from dictionaries (e.g. all 4-character
ascii combinations.) are also not very hard targets.
So you still, and always, need good passwords, even if you've got
salt to help you.
If you want to implement an efficient search for this sort of thing,
depending on the length of x (especially if it's padded),
you can calculate the state of the MD5 up to some point at or
near the end of MD5-crunching x, so you don't have to duplicate
as much work each time.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
