Blog‎ > ‎

MD5 and SHA1 password collision example attack vectors

posted Jun 15, 2016, 6:27 AM by Sami Lehtinen   [ updated Jun 16, 2016, 7:44 AM ]
Password limits: max 32 chars, every character in ASCII range 0x20 - 0x7E
People claim that MD5 and SHA1 collisions are trivial and salting doesn't help. So if it's that trivial, please provide me collisions. Because I didn't find any samples by Googling.

passwordmd5
5f4dcc3b5aa765d61d8327deb882cf99
%$H4LTeD~password%$H4LTeD~md535589ab72ed54bdad5453d7c712afed3
passwordsha15baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
%$H4LTeD~password%$H4LTeD~sha1
7ab0bc1a15f6f466066bb445d8524a48a5563a59

If it's that trivial as it's being said, someone smarter than me, could use that 15 minutes to provide colliding strings for all of the hashes mentioned.
I don't just personally believe it's that easy. But I might be totally wrong.
I've seen a lot of discussion, but not a single practical example anywhere.
If password is too hard, almost any English language word being 8 characters long with colliding string is a perfect start.

As example, here are some collisions using crc32. All of these words produce same end result 35c246d5.
pasword = afapaheh, avrehnqx, bgdqkibq, bkxwghlw, bwwdbova, cpmlklsb, degegezf, dfirwsly, dutpncnv, dzfartvo, enakbgqc, fodjhfvz, fskymall, gkpuqsef, gtqqdbio, gxmwhcgi, henzclfp, iazezyul, ibtrjocs, inhtfnmu.

Keywords: #password #collision #example #attack #vectors for #sha1 and #md5 #hash #challenge #hacking #cracking