SitePoint Sponsor |
|
User Tag List
Results 1 to 22 of 22
-
Apr 11, 2009, 23:16 #1
MD5 Can be Decrypted. Unbelievable!
Hi Guys!
Until yesterday I was under an impression that MD5 hashes cannot be reversed and is thus secured but then I found this site http://www.md5decryption.com/ which actually reverses your MD5 hash value, I was like WTF.
I am sure there are other sites that can decrypt other hash functions like sha1, tiger160, sha256 etc.
Please share your views about it?
Thanks
-
Apr 11, 2009, 23:21 #2
- Join Date
- Apr 2009
- Posts
- 115
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Do you want our opinions on how they can break these codes? Which one is the most secure hash? If that website is run by the MAKERS of the md5 hash? To be honest the only reason i would use that site is to make sure the right hash is being inserted into my database. I have used that site about two times in my entire life and I was just checking it out to see if it actually worked, not because I actually needed to use it.
~
-
Apr 11, 2009, 23:24 #3
Yes, I wanted opinions on how they can break MD5?
-
Apr 11, 2009, 23:38 #4
Ran the below text into MD5 which results in: 2a27ef56422b4aa947cf530db2b054b8
Code:Encrypt MD5 hash, Decrypt MD5 hash MD5Decryption.com allows you to enter a MD5 hash and we will look into our database and try to decrypt MD5. Basically it is an MD5 decrypter. What is an MD5 hash, or MD5 Checksum? MD5 is a 128-bit message digest function. It is used commonly in user authentication and MD5 checksum for data integrity. How many MD5 hashes are in our database? We have encrypted more than 1,300,000 words, phrases, acronyms, etc since 2006.
-
Apr 11, 2009, 23:41 #5
I have a question in my mind:
What if someone makes a bot which does a dictionary attack to crack a 32 bytes of hash. How much time do you think it will take to actually crack that hash?
-
Apr 12, 2009, 00:09 #6
It would be very quick if the dictionary hashes are pre-computed. It is just a simple lookup. This is why we have salting.
-
Apr 12, 2009, 00:10 #7
- Join Date
- Sep 2005
- Location
- Sydney, NSW, Australia
- Posts
- 16,875
- Mentioned
- 25 Post(s)
- Tagged
- 1 Thread(s)
Since it is a hash it can't be decrypted.
All that you can do is find one of the many values that will produce a given hash. If you use a salt when you hash it then finding a value that will use that salt to produce a given hash is a far more difficult task.
Since hashes were intended for testing if the original content has been altered and are generally sent along with the content that produces the hash it doesn't really matter if someone is able to find another value that produces the same hash as that other value wuill not be a usable substitute for the original.Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
-
Apr 12, 2009, 00:12 #8
-
Apr 12, 2009, 01:28 #9
- Join Date
- Jun 2006
- Location
- Wigan, Lancashire. UK
- Posts
- 523
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
The point is that you don't need to find the exact password, just a value that generates the same hash as the password, so simply saying alphanumeric isn't particularly meaningful. That reduces the cracking technique to a simple brute force attack based on the password, not on the hash.
If you're trying a brute force attack against the hash, and you are fluent in mathematics, then the collision resistance of md5 is 2^21 (or 1 in 2,097,152) if you read this paper or this paper and take a look at hashclash
How long it would take depends on your processing power... how long would it take to execute your computer to execute 2,097,152 md5 tests?
Of course, that's why you limit the number of attempts at a password, and always salt your passwords with a salt that is unique to each user
-
Apr 12, 2009, 05:48 #10
-
Apr 12, 2009, 06:33 #11
- Join Date
- Jul 2002
- Location
- Toronto, Canada
- Posts
- 39,347
- Mentioned
- 63 Post(s)
- Tagged
- 3 Thread(s)
-
Apr 12, 2009, 07:27 #12
- Join Date
- May 2006
- Location
- Lancaster University, UK
- Posts
- 7,062
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
MD5 is an irreversible hash which cannot be 'decrypted'. That's nonsense.
What you see is quite a simple mechanism. People type in text and are shown an MD5 encryption of that text. The text and the MD5 hash is then inserted into a table. To 'decrypt', it simply looks in that table, known as an MD5 rainbow table.
So, if you have a password like 'hello' or 'password', it will no-doubt be in that table and therefore easy to find. That's the reason you shouldn't use common words as passwords.
Mine's a ten-digit random string of numbers and letters. It has a 1-(insert big number here) chance of being in the database, and is unlikely anyone in the world has the same password. Therefore, it has very little chance of ending up in a database.
A common technique here is to salt the password. My method of salting involves inserting characters dotted around the password string before putting it into an MD5 hash. That way, even in the unlikely circumstance that it is retrieved in the first place and the even more unlikely circumstance that it is in a rainbow table (chances further reduced by the inserted characters), a hacker couldn't use it because they don't know my salting technique (which varies depending on aspects of the password itself).
Of course, if someone has access to your MD5ed data in the first place, you have bigger problems than people being able to login to an admin part of your site. Anything they could do can probably be done directly from the database.Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
-
Apr 12, 2009, 08:18 #13
-
Apr 12, 2009, 08:41 #14
- Join Date
- May 2006
- Location
- Lancaster University, UK
- Posts
- 7,062
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
Yes, but he is an SQL guru, not PHP.
I think I've seen Rudy post on a thread about this before now, so he may just be pulling your legJake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
-
Apr 12, 2009, 09:07 #15
- Join Date
- Apr 2009
- Posts
- 115
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Maybe he just didn't know about the site? He could have known about MD5 but not about the site
~
-
Apr 12, 2009, 09:20 #16
- Join Date
- Mar 2008
- Posts
- 1,149
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
There are many sites for it. :X
He doesn't know because he dwells into more SQL than writing. Geezes. Not that big of a deal. <: There are probably things that you "should" know but don't know too.
-
Apr 12, 2009, 09:52 #17
- Join Date
- Oct 2005
- Location
- Home
- Posts
- 219
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
My guess on how they did it was the following:
They sat down, thought of a bunch of words, got the MD5 values, and saved them into a database.
Ran the code:
PHP Code:if ($field == "md5 hash string") {
echo 'Actual word';
}
-
Apr 12, 2009, 10:12 #18
- Join Date
- Apr 2009
- Posts
- 115
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Who ssays the creator of the site is the creator of the MD5 hash?
No way to tell. Then again they only have 1,300,000 words in there so that is perfectly possible. It doesn't sound like they have an algorithm for this..
~
-
Apr 12, 2009, 11:25 #19
- Join Date
- May 2006
- Location
- Lancaster University, UK
- Posts
- 7,062
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
The MD5 hash is a public algorithm, and the theory shows that it is completely irreversible.
Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
-
Apr 12, 2009, 15:29 #20
- Join Date
- Sep 2005
- Location
- Sydney, NSW, Australia
- Posts
- 16,875
- Mentioned
- 25 Post(s)
- Tagged
- 1 Thread(s)
Which does no harm whatsoever given what its intended purpose is.
Since you can't make a minor change to the original without changing the hash, the has serves as a perfectly simple and useful way to be able to confirm that the original content is unchanged when it reaches its destination.
It is only when people start trying to use it for other purposes for which it was never intended that the ability to come up with an original source to match any hash serves any purpose since with its intended purpose the has always accompanies the original source anyway.
You can't decrypt a hash because a hash isn't encrypted in the first place. Hashes are always just plain text unless you actually feed them through some form of encryption process after generating the hash - in which case you'd have to break the encryption in order to recover the hash.Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
-
Apr 13, 2009, 04:37 #21
- Join Date
- May 2006
- Location
- Lancaster University, UK
- Posts
- 7,062
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
My point exactly.
Ok, OP, think of it like this. Say you have a 4-digit binary number 13, 1101.
Now, for each of those digits apply AND with 11, 1011 (i.e. 1 AND 1 = 1, 1 AND 0 = 0 etc).
So your number is now 1001 (9). Apply an XOR with 10, 1010. You now have 3, 0011.
That new number is nothing like the original number; you went from 1101 to 0011. Now, if you applied the same method (AND with 1011 then XOR with 1010) with any other number, you may get completely different results.
But, can you reverse that? The stumbling block there is the AND - the second digit (representing 4) of the original number is now untraceable.
An example which is probably more learner-friendly. Say you have a massive library of books. The hash code for each book is, say, to pick the first letter of every word in that book, add it's ascii value to the ascii value of the last letter of that word and divide by 2, then concatenate it to a string.
Chances are, every one of these codes will be completely different to all of the others, and you'll get no clashes even with thousands and thousands of books.
The difference between these two examples and real life hashes is that you can have a good guess at the original words or numbers. The first one you have a choice, depending on the second binary digit. The second one, you can insert loads of random words, just making sure the average of the first and last letter is the given letter in the string.
In real life hashes such as MD5 and SHA, you have massive amounts of variable solutions to each stage, and the outcome of the next stage will completely alter whether these solutions go right or wrong, and there are alot of stages. In other words, the only way to solve a hash is by checking every single combination of characters in multiple lengths. If the string you want to hash is a whole book, the difference between two very different outcomes could be a simple case of a single tiny change, such as a letter becoming capitalised.Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
-
Apr 13, 2009, 08:05 #22
- Join Date
- Apr 2009
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
For the New Bies Out There
MD5 is like the result to a Complicated mathematical equation.
For simplicity lets say its "6+4" the answer is 10
So now we have a hash of "10" how many differnt forumals yeild 10?
10+0 1+9 2+8 3+7 4+6 5+5 4+6 3+7 2+8 1+9 0+10
1+2+8 1+3+7 .......
1.5+1.5+7 .....
11-1 12-2 13-3...
Well you get the picture.. The correct answer is there are an infinate number of formulas that can yeild 10
hacking MD5 is based on figureing out A formula that yeilds the same thing..
But more importantly
How do you MODIFY an existing formula to yeild a predicted result
Bookmarks