I forget the exact details, but if I recall correctly you can crack md5 with a for loop in PHP because you can just iterate through the full character set. Maybe it would take awhile but having seen it in action for shorter examples I doubt that’s going to stop someone sufficiently motivated. Then again, at that point I guess they’d just opt for a tool like hashcat.
Of course not. I’m referring to brute force. The idea that you can’t reverse a hash seemed so obvious to me that I didn’t feel it necessary to disclaim. You can increment characters in php like numbers[0]. It has some funny quirks. It doesn’t loop back around right away. If you write a for loop for that and pass it into the builtin for md5, you can just go until your hashes match. Of course this would take a long time for big hashes and there are other tools that can do this better if you’re motivated anyway. But hey, you can make a fun hash cracker in a few lines if you’re feeling it. My whole point was just that MD5 is fairly weak. Lots of people don’t or at least didn’t use to consider this because it was also (too) convenient.
> I’m referring to brute force. The idea that you can’t reverse a hash seemed so obvious to me that I didn’t feel it necessary to disclaim.
You are confusing hashing with encryption. There is no general way to reverse a hash, be it brute force or an algorithmic method. There are an infinite number of strings that will generate the same MD5 hash. My point is, your for loop may eventually find a string, but it won't be the original AWS secret, so it won't work.
I wasn’t particularly in touch with the concept of hash collisions, no. Now that I’ve learned something I can revel in the fact that it only cost me a silly amount or imaginary internet points to do so. Thanks!
Your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
