Page 1 of 1
Decrypting MD5
Posted: Wed Oct 13, 2010 9:13 am
by jasonmc
Hi does anybody know of a way of decrypting MD5? Basically I have a website where if you forget your details it emails them to you, but the password is encrypted...is there a way around this? I have spent ages researching it but it doesn't seem possible. Many thanks in advance for any advice.
Re: Decrypting MD5
Posted: Wed Oct 13, 2010 9:38 am
by Weirdan
jasonmc wrote:Hi does anybody know of a way of decrypting MD5?
MD5 cannot be decrypted because it's not an encryption algorithm to start with. MD5 is a
hash function.
Re: Decrypting MD5
Posted: Wed Oct 13, 2010 1:34 pm
by John Cartwright
jasonmc wrote:Hi does anybody know of a way of decrypting MD5? Basically I have a website where if you forget your details it emails them to you, but the password is encrypted...is there a way around this? I have spent ages researching it but it doesn't seem possible. Many thanks in advance for any advice.
Generate a very short lived token for them, and email them a password reset form with this particular token, and allow them to change their password (probably after additional security checks, i.e., mothers maiden name).
Re: Decrypting MD5
Posted: Thu Oct 14, 2010 8:01 am
by jasonmc
Thanks for the replies Wierdan and John

Is there a simpler way I could do this such as a different encryption method so I can have an encrypted password in the database and a decrypted one sent? The token idea sounds very (very) good (and would work) but a bit too complex. I dont actually know how to send a form in an email. Many thanks again for the help.
Re: Decrypting MD5
Posted: Thu Oct 14, 2010 8:05 am
by Eran
Don't store passwords in your database (encrypted or plain-text). If someone gains access to your database it's only a matter of time before he has all the passwords (encryption can be broken). Most users use the same passwords on many sites so you'll be putting them at harms way.
Re: Decrypting MD5
Posted: Thu Oct 14, 2010 11:44 am
by Jonah Bron
Besides, that's the whole idea behind encrypting it in the database. What would be the point of storing it in plain-text too?
There are some great tutorials on the concepts and implementations of password stuff; I suggest you Google around.
Re: Decrypting MD5
Posted: Mon Oct 25, 2010 1:01 pm
by InsanityNet
Eran wrote:Don't store passwords in your database (encrypted or plain-text). If someone gains access to your database it's only a matter of time before he has all the passwords (encryption can be broken). Most users use the same passwords on many sites so you'll be putting them at harms way.
Thats why you should use salts.
IE:
My password is: password
My password encoded is: 5f4dcc3b5aa765d61d8327deb882cf99
Most users use a simple password like cat,dog,name.lastname, etc
Because of this, the password can easliy be discovered by using a rainbow table.
Try it at
This Site. Use the md5 provided above.
(Note, I have not added to the database. When you encode a string in md5, this site will add it as a md5/no-md5 pair, be careful!)
Now, lets add a simple salt shall we?
My Salt: mysimplesalt
My Salt (MD5): b47810f1b754c5c43e966c039ef70b31
My password to MD5 now become: b47810f1b754c5c43e966c039ef70b31password
My salted password is: 25556231aaacbdcd4e3128f098047f41
Now, it is almost impossible to decode this MD5 without knowing what the salt is.
Code: Select all
<?php
$pass = "25556231aaacbdcd4e3128f098047f41";
$salt = "mysimplesalt";
function encode($str) {
global $salt;
return md5(md5($salt).$str);
}
if (encode("password") == $pass) {
echo "Correct!";
} else {
echo "Denied!";
}
?>
You can look at the code
here
Re: Decrypting MD5
Posted: Mon Nov 01, 2010 9:04 am
by jrgp
As others have mentioned, MD5 hashes cannot be decrypted since they are one way. The two ways of cracking them are using a dictionary of known MD5 hashes and seeing if your hash exists in the dictionary (which is why you should use salts), and brute forcing them using a free tool such as John the Ripper, especially in a cluster, (which is why you should use special characters in the string you're hashing since that'll take longer to brute force than if you just use alphanumeric)
I hope this helps somewhat.