4

I have a confusion regarding md5. I know that we cannot decrypt MD5 without attempting something like brute force hacking which is extremely tough. Now, For one md5 hash i visit this website. MD5Online For curiosity i decrypt that encrypted password to and i got the decrypted password. Then i tried 4-5 password which are previously stored in my database and this site decrypted all of them.

Then i tried with below code.

<?php
        $password = 'cool@123@!';
        $secure_md5password = md5($password);
        echo $secure_md5password;
?>

i got this md5 hash : 6234c13c3e1b965dbdd32d604151bd1b

I tried this hash in decryption of this site and i got 'cool@123@!'. I tried with other toughest passwords also.

So now i'm confuse about md5 algorithm. Is that website doing brute force or any thing and can we use any code in php which that site is using. I visit these links for answer but i can't find the answer. 1).encrypt-and-decrypt-md5 2).is-md5-decryption-possible 3).how-to-decrypt-an-md5-string-in-php

Community
  • 1
  • 1
Bhavin
  • 2,070
  • 6
  • 35
  • 54
  • 2
    md5 is one way encryption. You can't decrypt it. but still some dictionary words are recoverable using code matching technique – Thamilhan Jun 27 '16 at 13:30
  • i tried with toughed words also like ex. cool@123@! and it's also working i tried for 15-20 times. – Bhavin Jun 27 '16 at 13:31
  • 2
    md5 is relatively easy to get around. This is why it should never be used as a security model. – VikingBlooded Jun 27 '16 at 13:32
  • 1
    MD5 allways produces the exact same hash sum for the same input string. Thus, if you feed it a well-known unsalted password, it will produce a hash sum which is bound to be known. 21232f297a57a5a743894a0e4a801fc3 is well-known to be the hash sum of "admin". This is why a secure password is so necessary. – Xyz Jun 27 '16 at 13:32
  • 1
    md5 is a hashing algorithm, it has nothing to do with encryption – Shira Jun 27 '16 at 13:34

4 Answers4

8

MD5 has been proven to be a weak algorithm. As all your 'passwords' are basic, the website has already stored each password with a hash that was cracked long ago.

You cannot decrypt a hash, but you can brute-force and find out what it is.

Read more here: https://en.wikipedia.org/wiki/MD5

and

here: https://security.stackexchange.com/questions/19906/is-md5-considered-insecure

EDIT: Saw that you updated your question.

Assuming that you were to have a complex password of 'ajfn3inf' and you were to hash it. Running a md5 cracker will be easy to unhash it due to it's relatively short length and the power of GPU's to crack a hash. Read the links above to understand more about MD5.

Community
  • 1
  • 1
Ctc
  • 783
  • 5
  • 21
6

That website is probably using rainbow tables.

Information about this topic: https://en.wikipedia.org/wiki/Rainbow_table

Simple said: if they ever brute forced a hash, they'll save the hash and the password in a table. When someone enters a hash, they'll search the table and retrieve the unhashed value.

Blaatpraat
  • 2,829
  • 11
  • 23
2

Yes, that is done by brute force. I'm sure that if your password is more than 12 characters, then this site is its unbroken.md5 is outdated and no longer used. Instead, use system for encrypting password_hash http://php.net/manual/ru/function.password-hash.php

Vanya Avchyan
  • 880
  • 7
  • 24
  • yes brother you are right i tried with special characters and numbers but i didn't tried with big length. That site can't give answer when the password is more than 13 character. – Bhavin Jun 27 '16 at 13:47
1

you can use salt with md5. and put validation for strong password using strong password policy.

Deep Hakani
  • 197
  • 1
  • 8