andrei.mita wrote:because md5 is not encryption this means that if i have an md5 i can't see what the cleat text is, am I correct?
Md5 is a hash function. It takes the input (the password, in this example), and generates a repeatable hash based on that password.
You cannot take the hash and *using a formula*, get the original input back.
That means you cannot recover the clear text.
andrei.mita wrote:for instance, if i save the md5 of if the user's passwords i will never be able to see the acctual password, correct?
The better statement would be "An md5 of a user's password cannot be reversed to find the actual input".
The difference is that there are ways to find the input by repeating the process (ie, doing something other than a simple reversal of the algorithm).
hawleyjr wrote:Incorrect. chances are you can look it up on one of the many md5 crack sites.
Please, please do not call them crack sites. They didn't crack md5*.
They didn't find a flaw in the algorithm.
Those sites simply generate massive numbers of inputs and outputs, and store them. They then strap a simple lookup to them, making fast lookup possible.
Thats not a crack - that is a lookup. Its sometimes called a Rainbow table.
Generally, the lookup sites are under 8 characters, and don't contain punctuation, etc.
Also, if you use a salt (as you always should) with your hash, the rainbow tables are rendered
useless, proving that it is not a crack in the md5 algorithm.
* There has however been several crypto discoveries in the last few years dramatically reducing our perceived strength of the algorithm. Without dragging several pages into the discussion, I'll simply say that they really don't apply much to password hashing - especially if you use a salt properly.