Decrypting MD5

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jasonmc
Forum Newbie
Posts: 7
Joined: Wed Oct 06, 2010 5:02 am

Decrypting MD5

Post by jasonmc »

Hi does anybody know of a way of decrypting MD5? Basically I have a website where if you forget your details it emails them to you, but the password is encrypted...is there a way around this? I have spent ages researching it but it doesn't seem possible. Many thanks in advance for any advice.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Decrypting MD5

Post by Weirdan »

jasonmc wrote:Hi does anybody know of a way of decrypting MD5?
MD5 cannot be decrypted because it's not an encryption algorithm to start with. MD5 is a hash function.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Decrypting MD5

Post by John Cartwright »

jasonmc wrote:Hi does anybody know of a way of decrypting MD5? Basically I have a website where if you forget your details it emails them to you, but the password is encrypted...is there a way around this? I have spent ages researching it but it doesn't seem possible. Many thanks in advance for any advice.
Generate a very short lived token for them, and email them a password reset form with this particular token, and allow them to change their password (probably after additional security checks, i.e., mothers maiden name).
jasonmc
Forum Newbie
Posts: 7
Joined: Wed Oct 06, 2010 5:02 am

Re: Decrypting MD5

Post by jasonmc »

Thanks for the replies Wierdan and John :) Is there a simpler way I could do this such as a different encryption method so I can have an encrypted password in the database and a decrypted one sent? The token idea sounds very (very) good (and would work) but a bit too complex. I dont actually know how to send a form in an email. Many thanks again for the help.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Decrypting MD5

Post by Eran »

Don't store passwords in your database (encrypted or plain-text). If someone gains access to your database it's only a matter of time before he has all the passwords (encryption can be broken). Most users use the same passwords on many sites so you'll be putting them at harms way.
Last edited by pickle on Thu Oct 14, 2010 9:36 am, edited 1 time in total.
Reason: "plain-test" => "plain-text"
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Decrypting MD5

Post by Jonah Bron »

Besides, that's the whole idea behind encrypting it in the database. What would be the point of storing it in plain-text too? :)

There are some great tutorials on the concepts and implementations of password stuff; I suggest you Google around.
InsanityNet
Forum Newbie
Posts: 6
Joined: Mon Oct 25, 2010 12:37 pm

Re: Decrypting MD5

Post by InsanityNet »

Eran wrote:Don't store passwords in your database (encrypted or plain-text). If someone gains access to your database it's only a matter of time before he has all the passwords (encryption can be broken). Most users use the same passwords on many sites so you'll be putting them at harms way.
Thats why you should use salts.

IE:

My password is: password
My password encoded is: 5f4dcc3b5aa765d61d8327deb882cf99
Most users use a simple password like cat,dog,name.lastname, etc

Because of this, the password can easliy be discovered by using a rainbow table.

Try it at This Site. Use the md5 provided above.
(Note, I have not added to the database. When you encode a string in md5, this site will add it as a md5/no-md5 pair, be careful!)
Now, lets add a simple salt shall we?

My Salt: mysimplesalt
My Salt (MD5): b47810f1b754c5c43e966c039ef70b31

My password to MD5 now become: b47810f1b754c5c43e966c039ef70b31password
My salted password is: 25556231aaacbdcd4e3128f098047f41

Now, it is almost impossible to decode this MD5 without knowing what the salt is.

Code: Select all

<?php
$pass = "25556231aaacbdcd4e3128f098047f41";
$salt = "mysimplesalt";
function encode($str) {
global $salt;
return md5(md5($salt).$str);
}
if (encode("password") == $pass) {
echo "Correct!";
} else {
echo "Denied!";
}
?>
You can look at the code here
jrgp
Forum Newbie
Posts: 4
Joined: Mon Nov 01, 2010 8:57 am

Re: Decrypting MD5

Post by jrgp »

As others have mentioned, MD5 hashes cannot be decrypted since they are one way. The two ways of cracking them are using a dictionary of known MD5 hashes and seeing if your hash exists in the dictionary (which is why you should use salts), and brute forcing them using a free tool such as John the Ripper, especially in a cluster, (which is why you should use special characters in the string you're hashing since that'll take longer to brute force than if you just use alphanumeric)

I hope this helps somewhat.
Post Reply