MD5 Can be Decrypted. Unbelievable!

@phantom007Apr 12.2009

Hi Guys!

Until yesterday I was under an impression that MD5 hashes cannot be reversed and is thus secured but then I found this site ~~[url]~~http://www.md5decryption.com/[/url] which actually reverses your MD5 hash value, I was like WTF.

I am sure there are other sites that can decrypt other hash functions like sha1, tiger160, sha256 etc.

Please share your views about it?

Thanks

to post a comment

PHP

24 Comments(s) _↴

@NogDogApr 12.2009 — #More than likely they are not, strictly speaking, decrypting it. Rather they have a look-up table of various strings and their corresponding hashes*. This is why using a salt mechanism is recommended with any type of hash; and if it's for a password, enforcing the use of "strong" passwords will also help.

____________

* In fact, if you type in an invalid hash string on that form and submit it, the result is "A decryption for this hash wasn't found in our database."

@phantom007authorApr 12.2009 — #oh ok.

I have a question in my mind.

What if someone makes a bot which does a dictionary attack to crack a 32 bytes of hash. How much time do you think it will take to actually crack that hash?

@MindzaiApr 12.2009 — #Such an attack will never work if you follow NogDog's advice and use a salt in your hashes.

@NogDogApr 12.2009 — #The bulk of time needed would be that to create the database of strings and hashes. Once that is created and assuming the hash column has been indexed, it would take milliseconds for the database to find the match if it exists in the database.

The question would be: how many string/hash pairs do you want to generate and save in that database? If you limit it to only 8-character strings and choose every possible combination of the letters a-z and the digits 0-9, that would be 36^{^8} or about 2.8 [i]trillion[/i]. So your limiting factor might end up being disk storage space for your database. Most such databases use a more limited library of "likely" passwords, perhaps starting with a dictionary of words and proper names of 4 to 8 characters and then padding them out with combinations of numbers and letters.

As an example, if on that page you linked to I submit the md5 hash for "debbie", it "decrypts" it. But if I submit the hash for "debbie22", it does not find a match. So this database apparently only uses a fairly limited set of words/names. If it were trying to crack password hashes on a site that required a minimum password length of 8 with at least one each of capital letters, lower-case letters, numbers, and special characters, I suspect it would never "decrypt" any of them.

@BrutusUnixApr 12.2009 — #encrypt using: http://www.miraclesalad.com/webtools/md5.php

I tried decrypting: 82baf7a563d5079ed85aeffd6802dfbd

didn't work, they just do a dictionary lookup on what they have in their database.

@Jeff_MottApr 12.2009 — #NogDog is absolutely right about how md5decryption.com works. [i]But[/i], it's still important to know that MD5 is indeed weak. As far back as 1996, cryptographers recommended that applications stop using MD5. Though few programmers listened, and word didn't spread around very well. Recently, cryptography researchers were able to fake an SSL certificate because the implementation still used MD5.

We really, [i]really[/i] need to stop using MD5.

SHA-1 used to be the best alternative, but even that has been showing signs of weakness.

NIST is hosting a competition to select a new secure hashing standard. That should be finished in 2012. Until then, the current recommendation is to use the SHA-2 family of hash functions (SHA-224, SHA-256, SHA-384, and SHA-512).

And don't forget to salt. Salt is important no matter which algorithm you use.

@phantom007authorApr 13.2009 — #When you say MD5 is weak, do you mean it is easily crackable?

@aj_nscApr 13.2009 — #ever hear of rainbow tables?

@grifter7Jul 24.2009 — #ive heard of them tried to use one once out of curiosity and it completely crashed my computer. BSoD. Anyway not to hijack or anything but does anyone know any good articles on cryptography I think this thread may have rewoken a passion in a much more knowledgable me ?. Also cracking MD5 has been publicly proven I believe in freedom of information but this sort of stuff is a challenge.

@Jeff_MottJul 24.2009 — #These should get you started.

http://www.rsa.com/rsalabs/node.asp?id=2152

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=pd_bxgy_b_img_a

http://www.faqs.org/faqs/cryptography-faq/part01/

Do be aware, however, that most of these sources are old. Though, the fundamentals of cryptography don't change much, so even old material will still tell you much the same information as something new. But any information about the current status of any particular cipher should be taken with a grain of salt.

@aj_nscJul 25.2009 — #Also cracking MD5 has been publicly proven[/QUOTE]

example?

@PierceMooreJul 25.2009 — #Yeah, I would very much like to see an example of that. The day someone can crack an MD5 hash in public forum (the right way, not by using md5decryption.com), I will eat my sock.

... because my conscience will make me go to all my clients and make them let me update the code that I have written for them..

:-/

@grifter7Jul 25.2009 — #ooop i was talking out my ass. I swear i remember reading something about reverse engineering but no. sorry. Thanks jeff mott

@JunkMaleJul 25.2009 — #I have to say that all claims I have been aware of were followed up quickly by a retraction in the claim.

Md5 Hash: 10d5dfcdbbcdfa6fd266a02779b1d198

Sorry, this MD5 hash wasn't found in our database[/QUOTE]

Which says it all... "our database" so this is more of a "Dictionary" type crack and not an algorithm that cracks the hash.

@Jeff_MottJul 25.2009 — #The terminology is tricky. MD5's [i]collision property[/i] is broken. Originally, I thought this meant that, given a hash, an attacker could compute a string that produces the same hash (a collision). But I was mistaken. That would be what's known as a [i]preimage[/i] attack. A collision attack means an attacker can find two messages that produce the same hash—but the attacker must be able to choose both messages. This is a problem for digital signatures and certificates.

This document explains the situation very well.

http://tools.ietf.org/rfc/rfc4270.txt

Still, neither of the two authors of this document recommend sticking with MD5. Bruce Schneier recommends that everyone migrate to SHA-256, and Paul Hoffman recommends (for now) the continued use of SHA-1, if only for interoperability, until a new standard is reached.

MD5 may still work for us for now, but there are so many hash algorithms to choose from, and MD5 is clearly the weakest of the bunch. As Schneier says, it's better to migrate before there is a panic, instead of after.

@felgallJul 25.2009 — #MD5 is a hashing algorithm - its purpose is to detect whether the text content that is associated with the hash has been tampered with. Each hash has millions of text values that match that one value but they are scattered all over so making a minor change to the original text will never result in the same hash and no meaningful change can match to the same hash either - thus if the hash doesn't match the one separately published then you don't have a copy of the original text. How hard the hash may be to find text that does match is irrelevant since no matching text is going to serve any useful purpose. Therefore the hash doesn't need to be hard to break, it just needs to have lots of values with a relatively random spread so that making a small change to the original text will always result in a totally different hash.

MD5 has nothing whatever to do with encryption and so is not designed to be hard to decrypt (since it isn't encrypted in the first place).

@Jeff_MottJul 26.2009 — #How hard the hash may be to find text that does match is irrelevant since no matching text is going to serve any useful purpose.[/quote]

There's a good chance I misunderstood what you meant. But if you meant that finding a string that computes to a given hash isn't useful, then I think you're forgetting a common case.

Web applications typically store only the hash of user passwords. When I log in, the system checks if the hash of what I entered matches the hash in the database. Now, let's assume an attacker has access to the hash of my password. He still can't log in as me because he still doesn't know my password. But what if he could compute another string, different than my password, but which still hashes to the same value? Now he can log in as me, because to the system, that other string is no different than my password. If they compute to the same hash, then the system thinks it's valid.

@PierceMooreJul 26.2009 — #It seems almost impossible, though, I mean how would one go about finding a string that hashes the same?

I would say that, with a team of 50 programmers, each monitoring a thousand supercomputers, that would still take a large number of years to find the correct string.. ?

(I know, incredibly over-the-top dramatic, but it does sound almost impossible :-P)

@Jeff_MottJul 26.2009 — #It seems almost impossible, though, I mean how would one go about finding a string that hashes the same?[/quote]It's a highly mathematical craft. To see an example, you can check how past hashes have been broken: [url=MD4 is Not One-Wayhttp://www.di.ens.fr/~leurent/files/MD4_FSE08.pdf]MD4 is Not One-Way[/url].

I would say that, with a team of 50 programmers, each monitoring a thousand supercomputers, that would still take a large number of years to find the correct string.. ?[/quote]You seem to be assuming a brute-force search. That's not how it would be done. If brute-forcing is the only option, then the algorithm is considered secure. Rather, attackers reverse engineer the algorithm to determine what input must have been fed to each part of the system to produce the given output.

@grifter7Jul 26.2009 — #It would be pretty useless if a text file had been hashed that you wanted to read. And isn't the mathmatical restructuring of a hash what rainbow tables does?

@Jeff_MottJul 26.2009 — #It would be pretty useless if a text file had been hashed that you wanted to read.[/quote]Yes, that would be useless. Though, the case I described is very common to Web applications, and is nothing like this scenario.

And isn't the mathmatical restructuring of a hash what rainbow tables does?[/quote]A rainbow table is just a lookup table—a database of pre-computed hashes. So no.

@vonshavingcreamJul 27.2009 — #
Ever hear of Rainbow Tables?
[/Quote]

the second line in the description at the wiki link

"A salt is often employed with hashed passwords to make this attack more difficult, often infeasible"

what i have done in the past for things that require a more "secure" password is appending to the md5 hash my own "license" key string

for example in the db a stored password would like this

d41d8cd98f00b204e9800998ecf8427e.65b756110717bbd2271f75734b3858cc

the md5 after the . is something like the ip string that the user used the last time they accessed. or an md5 a string added to cookie on the client machine, or something.

not only does this add an "extra layer" of protection, since the hacker would need to know it exists, but then they would have to determine what the string was and how it was added.

another little trick would be to truncate the md5 string after the .

maybe select 10 chars from the 6 char out and store that.

if that doesn't match, then the system complains at them with a simple notification, they must click past, which triggers an email to the one registered with the user information.

I've employed this type of "extra layer" for about 8 years now with very little (under 1&#37? of complaints from customers and/or their users.

@Jeff_MottJul 27.2009 — #the md5 after the . is something like the ip string that the user used the last time they accessed. or an md5 a string added to cookie on the client machine, or something.[/QUOTE]

Does that prevent your users from logging in from different computers?

Say, for instance, a person at work creates an account on your site. Their work IP address is used in the hash, or a cookie is set on their work computer. Then they go home and try to log in from their home computer where the IP is different and no cookie is set. Will they be rejected?

@vonshavingcreamJul 27.2009 — #no not rejected, but they do get notified that via email that the account was accessed.

they also have to click manually on a link to continue. You could also add a capcha box at this point as well.

Also in #PHP _↴

Which Payment Processing Option Confused About PHP!?Tidying up hours...

Success!

Help @phantom007 spread the word by sharing this article on Twitter...

Tweet This

MD5 Can be Decrypted. Unbelievable!

24 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

MD5 Can be Decrypted. Unbelievable!

24 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

24 Comments(s) _↴

Also in #PHP _↴