I got an email asking me is it possible to decrypt MD5 hashed strings and if yes, how? Usually I ignore these kind of question but since MD5 is used in WordPress, I thought it might be useful to write a little about it in case you’ve forgotten your WordPress password. In cryptography, MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. As an Internet standard, MD5 has been employed in a wide variety of security applications.
Before we ask how to decrypt MD5 strings, we should first ask is it even POSSIBLE to decrypt it. I am no PRO in encryption because I hated mathematics, but I manage to find out how it works.
First of all, MD5 is not an encryption, but a hash. The difference between encryption and hash is that with an encryption-algorithm it is a 2-way process encrypt<->decrypt. With a hash this is a 1-way process, there is no decryption possible. An example of an application that uses MD5 hash is WordPress. When you enter a password at the login page, the password is MD5 hashed and the two hash values are compared. If it matches with the one in the database, then you’re logged in.
If didn’t notice, scripts that uses MD5 to hash password doesn’t allow you to “recover” the password that you’ve forgotten. It will only generate new password and send it to your email. This way, you don’t have to worry about the administrator peeking at your password and try using them at your other registered account (since most people uses the same password).
There is a way I know of that can possibly decrypt MD5 hash. There are many websites that offers MD5 reverse lookup service using hashed database. It is sort of like dictionary decryption attack. They’d need to add a matching MD5 hash and plain text first. Then when someone enters the same MD5 hash, the plain text will be shown.
Here’s a test on how to decrypt locally installed WordPress via WOS Portable administrator password. I found a 32 character MD5 hash from phpMyAdmin.
Then I entered the 32 character MD5 hash on a website that has a huge database of decrypted MD5 hashes.
As you can see, the website is able to decrypt the MD5 hash within seconds. You do not have to worry so much because not everyone is able to access the database to get your MD5 hash other than the owner of the website and the webhost. If you use a minimum of 8 random character consist of numbers, letters and one spacing, the chances of your password being decrypted is nearly impossible. Below are the websites I found that can do MD5 reverse lookup.
www.rednoize.com – 50,709,274 Hash in database www.md5oogle.com – 6,353,625 Hash in database www.hashmash.com – 1,611,191 Hash in database www.gdataonline.com 1,155,613 Hash in database www.md5decryption.com – 872,145 Hash in database www.md5decrypter.com – 583,441 Hash in database www.md5decrypter.co.uk – 41,568,541 Hash in database www.macrosoftware.ro – 5,403 Hash in database www.md5-db.com – Did not mention amount of hash in database
If I missed any sites that has MD5 database, do let me know so I can add it to the list above.
The more common use of rainbow tables to quickly look up hashed values is also why it is important to utilize a unique salt for each password you hash.
Say your authentication database was compromised and the hacker now has a full list of your passwords. If they each have their own salt the hacker can’t just use one rainbow table to determine the password, but must generate a separate table for each password as the salt must be removed before the password can be used.
If you’re interested read up a little more on Wikipedia en.wikipedia.org/wiki/Salt_%28cryptography%29
Why not hashchecker.de ?
Meta Searchengine for 40 hash databases
Hi,
An another md5 cracker :
Online MD5 Revers | Hash cracker
ice.breaker.free.fr/
Nice day !
Great work, as usual Raymond. At first I thought no drug would fry a mans brain quite like Flash. That was two years ago before I learned about encryption, hashes, salts and algorithms. Haven\’t slept much since then. The stuff is addicting if you\’re a numbers junkie like myself. The site list of MD5\’s is awesome. I\’ll keep searching and see if I can find a few more for you.
Thanks brother i really need this tut because i was really want to know about MD5.Thanks again.
thnxxxxxxxxxxxxx
raymond u r gr8 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, for ever :-)
one more time congratulation Raymond
A lot of MD5 hash “decryption” services employ the use of Rainbow Tables. Essentially these are massive lookup tables. One method I use to create massive lookups, is simply to start generating them starting from aaaaa to zzzzz.
Great post Raymond ! :) Really helpful.
By the way, whats the difference in MD5 check-sum and SHA1 checksum ?
Thanks.
Microsoft has been telling that MD5 is broken. Fedora use SHA1.
That was a very good and informative writeup
Thanks
Quite difficult to understand the encryptiondecryption but nice to know for General Awareness sake as I never use WordPress
Even Though Thanx Raymond