What's the purpose of brute forcing MD5 hashes?

Great article about hacking passwords on Ars Technica: http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

But what I don't understand is why? From a black hat's standpoint, what's the benefit of having a list of passwords if you don't have the usernames/emails associated with them? Or are the usernames usually associated with password leaks?

I'm just confused because there's all this talk about passwords, but no talk about usernames. What's so beneficial to a hacker about a list passwords? To try on another attack when you have a specific username?

user1399181

Posted 2013-03-25T19:34:06.247

Reputation: 39

1Quoting the linked article: "... Gone were word lists compiled from Webster's and other dictionaries that were then modified in hopes of mimicking the words people actually used to access their e-mail and other online services. In their place went a single collection of letters, numbers, and symbols—including everything from pet names to cartoon characters—that would seed future password attacks." Forget speculation—RockYou gave us a list of actual passwords picked by actual people. – Daniel Beck – 2013-03-25T19:47:44.613

Answers

Yes, they have the usernames. But the hash tools don't care about the usernames, they separate the usernames out and only feed the password hashes to the cracking tools. Then you match the hashes that you did find to the usernames.

Hmm, that being said, there is still some benefit if you just have the passwords. Knowing that humans are creatures of habit, you could crack this list of passwords, to kind of precompute some hashes for when you do get a list with usernames and passwords. (and have the storage for it). This is better known as Rainbow Tables

The caveat here, is that the lists need to use the exact same hash algorithms, and no (or the exact same) salt.

The other thing: This article (I read it too) was mostly about what the mechanics of password hash matching are. The article was written as a "how easy is it for me to break hashes" not "how do I break in". So, in this very particular case, the usernames were irrelevant for the password cracker's use. So they were not brought up in the context of this very specific article.

Rich Homolka

Posted 2013-03-25T19:34:06.247

Reputation: 27 121

If you can compromise a system to get a list of passwords then it's likely you will be able to get the usernames as well. The interesting thing technically is to 'crack' the password as the usernames will be stored in plaintext. The article as you mention is about decrypting passwords using existing tools and techniques and the ease with which most passwords can be cracked.

Brad Patton

Posted 2013-03-25T19:34:06.247

Reputation: 9 939