Web Analytics Made Easy -
StatCounter MD5 Can be Decrypted. Unbelievable! - CodingForum

Announcement

Collapse
No announcement yet.

MD5 Can be Decrypted. Unbelievable!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • MD5 Can be Decrypted. Unbelievable!

    Hi Guys!

    Until yesterday I was under an impression that MD5 hashes cannot be reversed and is thus secured but then I found this site http://www.md5decryption.com/ which actually reverses your MD5 hash value, I was like WTF.

    I am sure there are other sites that can decrypt other hash functions like sha1, tiger160, sha256 etc.

    Please share your views about it?


    Thanks

  • #2
    Technically MD5 can't be "decrypted", it's a hash, it's one way, the only way you can 'decrypted' is by checking the hash to a database of hashes and values, get the corrisponding hash and return the value, of course this relies on the fact that the entry exists in the database. I believe this is called a rainbow table.

    If you're concerned about this, look into defining your own salt, PHP has a function called crypt, if you use a unique salt the only way someone could 'decrypt' your hashes is by finding out the salt and then compiling a database of hashes to values which is very unlikely.

    Regards

    Comment


    • #3
      Thanks for your assistance.

      Comment


      • #4
        Do no worry I have already had such idea in past and did some calculations Most passwords are min 8 digit in length and contain lets say just 27 digits. That mean 27^8 = 282429536481. That is the total amount of hashes you will need to have. Each hash has 32 bytes in length so the total amount of disk space (I am not speaking about CPU time needed to generate so much keys ) will be 9037745167392 bytes or in more easy way 8417 gigabytes And that is the value for passwords with small digits without upper case and numbers Of cause the one could make some optimization, I have already thought about that too... you could divide the MD5 in to chunks and keep each chunk in separate tables so late you will just have 4 or 8 digits (the IDs of chunks) but the project is still impossible to impelement

        Comment


        • #5
          What if someone makes a bot which does a dictionary attack to crack a 32 bytes of hash. How much time do you think it will take to actually crack that hash?

          Comment


          • #6
            yes it's been compromised for a while, as of right now you're better off using a salted sha512
            get up to 32 gigaytes free cloud storage at Dropbox

            For Tips on Runescape, Visit Marlaine's Musings

            Comment


            • #7
              Originally posted by cancer10 View Post
              What if someone makes a bot which does a dictionary attack to crack a 32 bytes of hash. How much time do you think it will take to actually crack that hash?
              With dictionary it seems that owner of the password it stupid and in that case I am on the side of hacker do you know why? Because you should not be so simple minded to use word or combination of the words for the password. I personally use 8 digit pass with both cases, numbers and special chars... and I am changing that password every 3 month.

              Comment


              • #8
                I have just tried several difernet passwords (ficticious ones) and it responded every time with
                "A decryption for this hash wasn't found in our database"

                So if it requires a database to be able to backwardly show your password, then entering it to their db perhaps isn't the most sensible idea? Basically, every time someone enters their password to thier page, it is being entered into a db which the cynic in me says; could be used for anything malware related.

                bazz
                "The day you stop learning is the day you become obsolete"! - my late Dad.

                Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
                Useful MySQL resource
                Useful MySQL link

                Comment


                • #9
                  Well i tried this site out and it didn't guess any of my passwords. The only thing it seemed to decrypt successfully was plain dictionary lowercase passwords. For instance it would decrypt the lower case hash for "hello" but not "Hello". Any complicated password with numbers, higher and lower case chars and other characters it doesn't stand a chance on. My guess is they have just hashed all the words in the English dictionary and recorded the results to compare it to. Actually they tell you what they have done.

                  How many MD5 hashes are in our database?
                  We have encrypted more than 1,300,000 words, phrases, acronyms, etc since 2006.
                  No genius decryption going on there.

                  Having said that md5 hashing has been obsolete for quite some time now.
                  You can not say you know how to do something, until you can teach it to someone else.

                  Comment


                  • #10
                    Originally posted by bazz View Post
                    So if it requires a database to be able to backwardly show your password, then entering it to their db perhaps isn't the most sensible idea? Basically, every time someone enters their password to thier page, it is being entered into a db which the cynic in me says; could be used for anything malware related.
                    This is exactly why I don't "feed the rainbow table" so to speak. Excellent point, bazz.

                    As timgolding and other stated, there is no "decryption", it's just a rainbow table. In fact, there is no "cracking" of MD5, but there is such a thing as a collision, which has found to be possible with MD5 and SHA1. So in other words, when this method is undertaken, there is no hash reversal or "crack" of the original value input to the hash mechanism. They are simply finding another value that when input returns the same hash. Why is this a bad thing? If a malicious user gets ahold of your MD5 hashed password database, they don't have to crack them. They can either a) run them against a rainbow table or b) search for collisions. Option 'b' is still at the high academic level, but it is technically possible.

                    I recommend always use a hash salt, and always use SHA256 or above. Not as portable as the old standy MD5 or SHA1, but it's worthwhile.

                    Comment

                    Working...
                    X