[Tfug] fast xandros mirror

Michael Stenner mstenner at ece.arizona.edu
Fri Jun 18 11:58:17 MST 2004 

I agree with Andrew completely.  An md5sum is a 16 byte = 128 bit
checksum.  While there are an infinite number of strings that will
produce a given sum, it's not so easy to find them.  Assuming it's a
perfect hash (random-like relationship between the input and hasH),
which is not quite true but darned close, then each guess has a 3e-39
chance of matching.  If you try a trillion per second, it will take
you on the order of 10 billion years to find one that matches.  

As Andrew says, most password cracking comes from dictionary searches:
people try every word in some well-chosen list of words (english word
+ common names + common substitutions, etc) and then try every
combination of two, etc.  This takes advantage of the fact that the
human's password choice is usually much less random than the generated
hash.  This is why choosing a "good password" is so important.

					-Michael

On Fri, Jun 18, 2004 at 10:59:04AM -0700, Andrew Huntwork wrote:
> while it's true that there are multiple different bitstrings with the 
> same md5 sum, i can say with great confidence that you will never find 2 
> different strings with the same md5 sum and neither has any password 
> cracker.  Password crackers really do just find the original password. 
> The odds of finding such a pair are like 2^64 I guess, and I hear 
> someone, maybe RSA, will give you quite a bit of money if you show them 
> such a pair.  There are definitely no such pairs using strings the 
> length of usual passwords.
> 
> Basically, you can assume that if the md5sums of 2 strings are equal, 
> then the strings are equal.  A lot of other programs and systems do.
> 
> Chris Mathis wrote:
> >though there can be 2 md5 sums that are the same other wise people would
> >not be able to "crack" a password that has been md5sumed, and the
> >password they get might be a totally different password than the
> >original...
> >
> >Chris
> >
> >On Fri, 2004-06-18 at 10:00, Michael Stenner wrote:
> >
> >>On Fri, Jun 18, 2004 at 09:47:13AM -0700, elemint at theriver.com wrote:
> >>
> >>>Thanks Paul,
> >>>
> >>>     I have been 5d5 summing the iso not the zip file that explains a
> >>>lot, I was like it is not even close.
> >>
> >>Well, just for the record, md5 sums should NEVER be "close".  If you
> >>change 1 bit in a gigabyte of data, the md5 sum will look completely
> >>different.
> >>
> >>					-Michael
> >
> >---- Once upon a time there was a DOS user who saw Unix, and saw that it
> >was good. After typing cp on his DOS machine at home, he downloaded
> >GNU's unix tools ported to DOS and installed them. He rm'd, cp'd, and
> >mv'd happily for many days, and upon finding elvis, he vi'd and was
> >happy. After a long day at work (on a Unix box) he came home, started
> >editing a file, and couldn't figure out why he couldn't suspend vi (w/
> >ctrl-z) to do a compile. -- Erik Troan, ewt at tipper.oit.unc.edu
> >
> >_______________________________________________
> >tfug mailing list
> >tfug at tfug.org
> >https://www.tfug.org/mailman/listinfo/tfug
> _______________________________________________
> tfug mailing list
> tfug at tfug.org
> https://www.tfug.org/mailman/listinfo/tfug

-- 
  Michael D. Stenner                            mstenner at ece.arizona.edu
  ECE Department, the University of Arizona                 520-626-1619
  1230 E. Speedway Blvd., Tucson, AZ 85721-0104                 ECE 524G

More information about the tfug mailing list