I got an email asking me is it possible to decrypt MD5 hashed strings and if yes, how? Usually I ignore these kind of question but since MD5 is used in WordPress, I thought it might be useful to write a little about it in case you’ve forgotten your WordPress password.
In cryptography, MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. As an Internet standard, MD5 has been employed in a wide variety of security applications.
Before we ask how to decrypt MD5 strings, we should first ask is it even POSSIBLE to decrypt it. I am no PRO in encryption because I hated mathematics, but I manage to find out how it works.
First of all, MD5 is not an encryption, but a hash. The difference between encryption and hash is that with an encryption-algorithm it is a 2-way process encrypt-decrypt. With a hash this is a 1-way process, there is no decryption possible. An example of an application that uses MD5 hash is WordPress. When you enter a password at the login page, the password is MD5 hashed and the two hash values are compared. If it matches with the one in the database, then you’re logged in.
If didn’t notice, scripts that uses MD5 to hash password doesn’t allow you to “recover” the password that you’ve forgotten. It will only generate new password and send it to your email. This way, you don’t have to worry about the administrator peeking at your password and try using them at your other registered account (since most people uses the same password).
There is a way I know of that can possibly decrypt MD5 hash. There are many websites that offers MD5 reverse lookup service using hashed database. It is sort of like dictionary decryption attack. They’d need to add a matching MD5 hash and plain text first. Then when someone enters the same MD5 hash, the plain text will be shown.
Here’s a test on how to decrypt locally installed WordPress via WOS Portable administrator password. I found a 32 character MD5 hash from phpMyAdmin.
Then I entered the 32 character MD5 hash on a website that has a huge database of decrypted MD5 hashes.
As you can see, the website is able to decrypt the MD5 hash within seconds. You do not have to worry so much because not everyone is able to access the database to get your MD5 hash other than the owner of the website and the webhost. If you use a minimum of 8 random character consist of numbers, letters and one spacing, the chances of your password being decrypted is nearly impossible. Below are the websites I found that can do MD5 reverse lookup.
If I missed any sites that has MD5 database, do let me know so I can add it to the list above.