I created a hash which is encrypted like this: $What_i_made=BCrypt(MD5(Plain Text Password))
and I wonder if it can be cracked. Currently, I thought of two ways:
- Brute force
$What_i_made
to get the MD5 Hash then do a dictionary attack on the MD5 Hash. However, this will take ages as Bcrypt is so slow and a MD5 is 32 characters long. $result=Bcrypt(MD5(random combination))
and compare$result
to$What_i_made
until they match. This will be much faster, but I am not really sure how to do this. I tried John and Hashcat but I am not really sure how you can do this with them, so I am turning to the community for help. Thanks. 🙂
BTW, any other tools that work will also do and I would prefer a method which allows for trying every single combinations instead of dictionary attaks.
Best Answer
As a password cracker, I encourage all of my targets to use this technique. ;)
It seems like a good idea, but it turns out that against real-world attacks, wrapping an unsalted hash with bcrypt is demonstrably weaker than simply using bcrypt.
This is because attackers can do this:
bcrypt(md5($pass))
corpus, to identify bcrypts with known MD5sIn other words, in many cases you can simply crack the inner hash first. And for a fast hash like MD5, that means that for any password that can be cracked first, bcrypt's resistance to brute-force attack is dramatically weakened.
(I can't take credit for the technique, but it's very effective - especially when users reuse passwords across multiple sites, and the attacker has access to leaked password data.)
Here's a more specific, single-user scenario:
Now, imagine that Attacker wants to attack all 100,000 bcrypt hashes on Site B ... but Attacker also has access to thousands of other leaks:
And yes, the attack can also be done directly - either by MD5'ing the candidate passwords yourself, or using a tool that natively supports
bcrypt(md5($pass))
, such as MDXfind:Unfortunately (for the attacker ;) ), it looks like John the Ripper "jumbo" edition doesn't support this algorithm using its dynamic syntax:
But for a focused attacker, it's much more efficient to simply dig out those MD5s from your hashes, and then attack those MD5s at speeds of billions of candidates per second on GPU.
If you want to do something like this - for example, to work around bcrypt's 72-character maximum - use a per-plain salt, a site-wide pepper, or true encryption in the MD5 step.