Hi Guys!

Until yesterday I was under an impression that MD5 hashes cannot be reversed and is thus secured but then I found this site http://www.md5decryption.com/ which actually reverses your MD5 hash value, I was like WTF.

I am sure there are other sites that can decrypt other hash functions like sha1, tiger160, sha256 etc.

Please share your views about it?


Thanks

No, it just matches the words up. They have a database that has something like this:


8b1a9953c4611296a827abf8c47804d7 | Hello
c1a5298f939e87e8f962a5edfc206918 | Hi


Besides, that site can't decrypt anything.

You mean they maintain a full dictionary of all hashes?

Yes they do. But does the decryption work for you? It doesn't for me.

Works fine for me.

Does "8b1a9953c4611296a827abf8c47804d7" work for you?

Nope!

Wow! they actually maintain a db for all possible hashes....


BTW, is it impossible to break or reverse md5?

Not by machine, so what does work for you (md5 please).

21232f297a57a5a743894a0e4a801fc3 | admin

202cb962ac59075b964b07152d234b70 | 123



Works fine

Ah.. It does. :D Well, yeah. They just match up in the db.

oh!


Thanks for your assistance

What if someone makes a bot which does a dictionary attack to crack a 32 bytes of hash. How much time do you think it will take to actually crack that hash?

Depends. If the hash isn't in the dictionary, it will never be cracked. If it is, then probably only an hour or two on a fast computer — depending on the size of the dictionary, of course. Length doesn't matter with dictionary-based attacks. That's why it's recommended to never use dictionary words as your password (and why you should always add salt to any user-supplied passwords for hashing).

what if its an alphanumeric password and the attack is a brute force attack?

Then how much time will it take?

O(36^n) if there are no capitals — that is, the time taken will be proportionate to the number of possible characters to the power of the length of the password. On a (my) modern PC, calculating the MD5 sums of 36 characters takes about 0.0000742776780128479 seconds.

O(36^n) if there are no capitals — that is, the time taken will be proportionate to the number of possible characters to the power of the length of the password. On a (my) modern PC, calculating the MD5 sums of 36 characters takes about 0.0000742776780128479 seconds.


I didnt get you. Do you mean a modern PC can crack a alphanumeric password in about 0.0000742776780128479 seconds with brute force attack?

A single-character one, yes.

so if I have a password of 5 characters (NIj7U)

then it would take 5 x 0.0000742776780128479 seconds to crack a password with brute force attack???

so if I have a password of 5 characters (NIj7U)

then it would take 5 x 0.0000742776780128479 seconds to crack a password with brute force attack???

Which is why sometimes applications adds an additional fix prefix to a password to make it harder to break, but the world you add that prefix is not easy either. Choosing a wrong one or a simple one is as good as nothing adding any.

And for the sake of Og, don't md5 a md5 - it's not really useful

The way that website works is people go to http://md5encryption.com/ (which is the encryption tab on the website linked in the first post), it then encrypts the the input to md5 and adds the info to a database. The decryption site then reads from that database and if is in there, displays the text for the inputted hash.

Shouldn't this site be banned? I mean all it does is allow a greater chance of a person gaining access to data, I don't see any benefits from this. Am I missing something?

And of course they can only get md5 hashes that have already been entered into the database, like I can see the benefits of the encrypter, just not the decrypter.

I suppose websites should use better security measures like adding a salt or using a different encryption but there is just no need for md5 decryption (unless I've missed something :p).

Banned by whom?

The company that hosts it.

Don't get me wrong, I agree that what they are doing is wrong but are there any rules on the web? Can't sites do anything they want almost? I mean, there needs to be some serious shieet in order for a site to be banned. For what it's worth, one benefit of this site is that it encourages people to create more secure encryption systems.

Well I wasn't actually thinking about asking their host to take down the website or take any kind of action at all. I was more interested as to whether there were any benefits to having MD5 hashes decrypted. But you do have a point, this does make people want to make their sites more secure - but that's only the people who actually know this site exists.

1) MD5 hashes can not be decrypted. Or encrypted for that matter. Encryption is a totally different thing.

2) The site in question is beneficial to whoever has access to the data it produces and wants to do a dictionary style reversal of a MD5 hash. See 3.

3) The site is not beneficial to anyone if the MD5 hash in question is not in the site's database.

4) For this site to be worth anything to anyone, someone needs to have access to a MD5 hash of something of known value and hope that 3 is not an issue.

To sum up: The site is stupid and I imagine that anyone doing any sort of serious hacking has access to and/or knowledge of much more dangerous stuff.

It's not stupid, but it's not immoral either. It's just a big MD5 dictionary. There's nothing wrong with it. It could even be used to generate some interesting statistics about MD5. With proper application of a salt, which is a basic security measure that everyone should follow, a dictionary attack is not a security issue.

I hadn't thought about academic purposes. That could be a good use.