Over a million developers have joined DZone.

The Hash Challenge

See Gartner’s latest research on the application performance monitoring landscape and how APM suites are becoming more and more critical to the business, brought to you in partnership with AppDynamics.

The Facebook discussion about my previous blog post went off-topic and resulted in an interesting challenge. One of the commenters (Stilgar) was not convinced that passwords hashed with MD5 (or SHA) are so easy to crack if there is salt. So he posted a challenge:

“I’ll post the hash of a “password” which is going to be a dictionary word with or without mixed case letters and up to 3 digits. There will be salt – 8 random symbols before the password. Whoever posts the right password first gets 100 euro (via PayPal). I accept that I may be wrong, but I would risk 100 euro. In the real world, most sites would sell out a user for 100 euro. If I lose, I’ll admit I’m not right [..]

salt: fe#ad746
MD5: CD7B1E790D877EE64613D7F0FD38932A
Code to generate it: https://dotnetfiddle.net/st0RfL

Bonus for 50 EUR more (another password, same salt)
salt: fe#ad746
SHA1: FE3463DC8B98D33C1DD8D823B0D49DCD991E6627

We must note that the salt is really small, which distorts the experiment a bit, but anyway, here’s what happened:

The original challenge was posted at 00:20

At 5:20 Rumen posted:

The password is: DeveloP9

my code: http://pastebin.com/enzgq1iz

So, here’s my PayPal: ….

At 6:15 Petar posted:


And the times reported for cracking the challenge on a desktop computer was 1-3 minutes.

So, Stilgar lost 150 euro (around 180 USD). But hopefully that’s a valuable story – that using the output of hashing algorithms for storing passwords is wrong. Because if anyone gets hold of the hash, he has the password. And that may be worth way more than 150 euro, especially due to the tendency of users to reuse passwords. If your sites stores password incorrectly, an attack may get the accounts of the same users on many other sites.

For precisely that reason last year I wrote this simple project to verify your site’s password storage mechanism and emphasized on the fact that bcrypt is the bare minimum for your website security.

The Performance Zone is brought to you in partnership with AppDynamics.  See Gartner’s latest research on the application performance monitoring landscape and how APM suites are becoming more and more critical to the business.


Published at DZone with permission of Bozhidar Bozhanov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}