The Hash Challenge

The facebook discussion about my previous blogpost went off-topic and resulted in an interesting challenge. One of the commenters (Stilgar) was not convinced that passwords hashed with MD5 (or SHA) are so easy to crack if there is salt. So he posted a challenge:

“I’ll post the hash of a “password” which is going to be a dictionary words with or without mixed case letters and up to 3 digits. There will be salt – 8 random symbols before the password. Whoever posts the right password first gets 100 euro (via PayPal). I accept that I may be wrong, but I would risk 100 euro. In the real world, most sites would sell out a user for 100 euro. If I lose, I’ll admit I’m not right [..]

salt: fe#ad746
MD5: CD7B1E790D877EE64613D7F0FD38932A
Code to generate it: https://dotnetfiddle.net/st0RfL

Bonus for 50 EUR more (another password, same salt)
salt: fe#ad746
SHA1: FE3463DC8B98D33C1DD8D823B0D49DCD991E6627

We must note that the salt is really small, which distorts the experiment a bit, but anyway, here’s what happened:

The original challenge was posted at 00:20

At 5:20 Rumen posted:

The password is: DeveloP9

my code: http://pastebin.com/enzgq1iz

So, here’s my PayPal: ….

At 6:15 Petar posted:

fe3463dc8b98d33c1dd8d823b0d49dcd991e6627:fe#ad746:Techno21

And the times reported for cracking the challenge on a desktop computer was 1-3 minutes.

So, Stilgar lost 150 euro (around 180 USD). But hopefully that’s a valuable story – that using the output of hashing algorithms for storing passwords is wrong. Because if anyone gets hold of the hash, he has the password. And that may be worth way more than 150 euro, especially due to the tendency of users to reuse passwords. If your sites stores password incorrectly, an attack may get the accounts of the same users on many other sites.

For precisely that reason last year I wrote this simple project to verify your site’s password storage mechanism and emphasized on the fact that bcrypt is the bare minimum for your website security.