Can you figure out the password hashing scheme?

Question

I have two passwords and two resulting hashes. I can't figure out how the hash is derived from the password. I don't know if salting is used. I don't know if the password is hashed as a integer value or as a string (possibly Unicode).

Password: 6770 Hash: c12114b91a3841c143bbeb121693e80b

Password: 9591 Hash: 25238d578b6a61c2c54bfe55742984c1

The hash length seems to suggest MD5. Anybody has any ideas what I could try?

Note: This is not for hacking purposes. I'm trying to access a service through an API instead of it's desktop client, and I can't figure out how to compute the password hash. Currently instead of using my real password I'm sending directly the hash.

Answer 1

Googling up those hash values (!) reveals that 25238d578b6a61c2c54bfe55742984c1 is the md2sum of "9591" (source), and that site has another page confirming the same for 6770 and your first hash value (source2).

(Edit: I have since googled up some md2 source code and cross-checked the hashes.)

(Edited again to comment: You are incredibly lucky that this API uses such a terrible hashing scheme without any salting or prefixes! :-) )

Answer 2

The API documentation doesn't say? Strange.

In principle, this is an impossible problem - any number of different hash algorithms can give the same results in any given number of particular cases, and then give a different result the first time you rely on one.

In practice, though, you can probably just try a few common crypto hash algorithms and see what they give you. If one matches in a few randomly chosen cases, it's probably right. A malicious person might, e.g., remap a few characters (swap '2' for '3' or whatever - you wouldn't spot that with your example passwords) before applying the main hash algorithm, but it's unlikely in real apps.

BTW - a four-numeric-digit password is about as secure as not having a password at all.