I've heard somewhere that if someone gets a cookie off your computer for a particular website, they can bruteforce the md5 hash with something called a rainbow table and that will reveal your password, or garble that will function as a password for your user_id, is this true?
Can cookies reveal your password?
- Thread starter Energize
- Start date
if the cookie is being used to store login details then I don't see why there would be any need to brute force the password, just send the same cookie to the server.
a lot of websites won't be using a cookie to store anything more than a session id, which may or may not have the same effect. I'm pretty sure most servers will know when the session is invalid.. don't know how (ip maybe?)
Also most decent websites won't use md5. Personally I tend to just combine them... md5 / sha1 / chopping the password around with another field (signup time) which makes brute forcing pretty much useless.
a lot of websites won't be using a cookie to store anything more than a session id, which may or may not have the same effect. I'm pretty sure most servers will know when the session is invalid.. don't know how (ip maybe?)
Also most decent websites won't use md5. Personally I tend to just combine them... md5 / sha1 / chopping the password around with another field (signup time) which makes brute forcing pretty much useless.
Last edited:
