MD5, speaking in a popular language, is a hash one-way.
No information to reverse the hash for the original value.
A few years ago, several websites offered solutions to "reverse" the hash and this causes a certain confusion because those who do not understand the subject end up believing that the MD5 is reversible. What these sites offer is the so-called Rainbow table. The technique consists of the same logic of a "Brut force".
As Rainbow Tables are only database containing strings and their respective values in MD5.
This scheme works only for hashes without "bounce".
The logic is simple. A script automatically generates, in an "infinite loop", all kinds of possible character combinations. Within this loop, the MD5 hash of this combination is also generated and saved in a database, which has a pseudonym known as "Rainbow table".
Currently, several websites guarantee to have combinations of 5 full characters and almost completing 6 characters.
To better understand, see an example of the logic involved:
Size 1 character combinations and their respective MD5
a -> 0cc175b9c0f1b6a831c399e269772661
b -> 92eb5ffee6ae2fec3ad71c777531578f
c -> 4a8a08f09d37b73795649038408b5f33
And so it goes on until generating MD5 of all character types, including numbers and multibyte characters
あ -> 8c0c3027e3cfc3d644caab3847a505b0
い -> 655dcb0e6519c34baf6d9d53e1932389
う -> 31e55ff7f86aaee740277059a9983d89
□ -> 8c8586b6fb99a8815eeec4ea97e6222d
It seems easy to generate the hashes, however, it is necessary to create the combinations.
Here we have an example of size 2:
ab -> 187ef4436122d1cc2f40dc2b92f0eba0
ac -> e2075474294983e013ee4dd2201c7a73
ba -> 07159c47ee1b19ae4fb9c40d480856c4
bc -> 5360af35bde9ebd8f01f492dc059593c
ca -> 5435c69ed3bcc5b2e4d580e393e373d3
cb -> d0d7fdb6977b26929fb68c6083c0b439
So far it seems easy, but imagine 5 combinations. How many possible combinations there are in 5 houses?
abcde -> ab56b4d92b40713acc5af89985d4b786
acbde -> e0e56a95aff0ee48fc44e8a4faf69adb
adbce -> a44a7eb2135809f67ce273e0de8b52cb
Even with size 5, it doesn’t seem difficult if we only deal with Roman alphabet and numbers, but remember that you should also include special/multibyte characters. At this point the combinations pass trillions of records.
How these sites return the value of a hash?
Just looking in the database.
select original from rainbowtable where hash = 'ab56b4d92b40713acc5af89985d4b786'
This would return "abcde", if you are already saved in the database.
Therefore, it is recommended to avoid short passwords, smaller than 6 characters and also passwords containing simple characters.
Simple password example, where obviously Rainbow Tables sites already have their hashes:
abc
111
123
abc123
senha
passord
user
admin
123456
111111
When creating a password, try to do at least something like this:
j&SCjV:Kd#A!6VN7x=eY
Mix special characters, uppercase and lowercase letters, numbers. Finally, the larger and more complex, the less likely it is to exist in a Rainbow table or be broken by Brut force.
Password recovery
it should be possible to recover this MD5 in the database and show "password" of
back on an information update form, no?
A website that returns the original password to the user is insecure. When you find a website that does this, avoid using it if you have important information, especially financial transactions.
A website that can see the password typed by the user, hurts basic privacy and security rules because even a hosting server administrator or the website programmer can be malicious and get the user passwords.
An aggravating factor in this is that most users use the same password for everything. Email services, social network accounts, even credit card password.
That is, if you get the password, you will have the passport for almost all or all accounts that this user has in third-party services.
The same 1234 password, which is used on facebook, also uses on credit card, debit card, email and various services. Unfortunately the user gives up his own security for "practicality".
(The term *facebook is a mere example. Obviously facebook does not allow such a password)
At this point comes the responsibility of service providers in forcing the user to create complex passwords. Complexity Depends on Service Business Model.
Final remark, there are also Tables raibow of other hashes like sha1, des, crypt16, among others.
"MD5 Calculates the hash MD5 of a string", it is not an encryption something. Although it is often used to "encrypt" passwords. The most it does is generate a comparison hash. By the way, what is the reason for reversing the user’s password? If he forgot, just create a new one.
– Papa Charlie
Imagine that some error occurs and escapes data from users, or provides access to DB, anyone with the 'pseudo-password-encrypted' could reverse it. Which wouldn’t be good.
– Papa Charlie
Related: "How to hash passwords securely?". Briefly, you don’t "decrypt" MD5 - since this is a function of hashing, nay cipher (as the ESA or similar). To check if a new data is equal to a previously hashed data, you hash the data again and compare it with the stored hash (equal data generates equal hashes). But as the linked question shows, you should not use MD5 to secure passwords.
– mgibsonbr
MD5 is not encryption. It’s hash. If it’s not encryption, there’s no decryption. If you take 1TB of data or a single byte and generate the MD5 of both, you will get a hash of the same size. If it were possible to "decrypt" the hash and get the 1TB back, you would have the best data compactor in the Universe! rs... What exists are hash dictionaries, which store data that has been processed and thus can obtain the original information from the hash.
– dellasavia
Have any answers solved the problem? Do you think you should accept any?
– Maniero
Hello, on this site you can decrypt md5: http://www.md5online.org/
– user33304
Pigeon hole theorem: if 9 pigeons enter 8 houses, at least 2 pigeons will have to share a house. Since MD5 has only 128 bits, there are numerous passwords that generate the same MD5. Of course, as it is a high quality hash, an accidental collision is unlikely. What people try, to discover commonly used passwords, are the "Rainbow Tables. Sometimes searching for MD5 in Google results in the original string (or rather, the most likely original string, because as said, there are infinite strings that generate the same hash)
– epx