Md5 Encrypt & Decrypt

BeetVPN

What is MD5 ?

MD5 (or Message Digest 5), is a cryptographic function that allows you to create a 128-bits (32 characters in hexadecimal since you only need 4 bits to code hexadecimal) "hash" from any input up to 2^64 bits. This produces a digital fingerprint of the file or text and thus allows to sign it for security verifications. MD5 was created in 1991 as a replacement of MD4 algorithm, that, however being a 128-bits algorithm too, suffered from security breaches (collisions were found very early). In 1996 actual collisions were also found on MD5 which is considered as insecure since then, collisions were confirmed in 2004. You can find out more about collisions here.


Despite being insecure, MD5 is still widely used as a file fingerprint (such as SHA-1) and password storage by webmasters that are not well informed about security.


The hash produced by MD5 is supposed to be unique (it cannot be since 128-bits even if very large is finite), so for instance if you type the word "Password" with a capital, it will produce this hash :



Password : dc647eb65e6711e155375218212b3964

While the same word without the Capital "P" gives this hash :

password : 5f4dcc3b5aa765d61d8327deb882cf99

How to decrypt MD5 ?

Since MD5 in a hashing function, it is not reversible. Meaning that you cannot calculate the plaintext that was hashed only looking at the hash. It's a one-way function. This is also why it is used to sign files and also to store passwords. Thanks to this, webmasters are not in capacity to know your plain password from their database. When you enter a password on a website it is (most of the time) stored as hash, then when you come back this hash is compared to the hash of password you enter, if they match the passwords were the same.


Now if MD5 is a one way function, how do we decrypt it ? We actually don't "decrypt" MD5, we use this word because it's easy to understand, but hashing function cannot be decrypted. It can be reversed. For this to happen, the only way is to compare a given hash with a database of couples password:hash. This is what we have on this website. We have billions hashes stored in our database. When you enter a hash in our search bar, we look into our database if we have a match. If so we provide you with the password. Our database contains every dictionnary that we were able to find on the internet. We also made our own dictionnaries from statistical analysis of actual used passwords. We also bruteforce the unfound passwords every few weeks, so if your hash wasn't found, you can come back later maybe we'll have it cracked. If we are not able to crack it, you can still use paying bruteforce services such as hashes.com or onlinehascrack.com. Or if you have a good GPU, you can download hashcat and use it to crack MD5 hashes yourself.

Is MD5 secure ?

As stated before, MD5 isn't considered as secure since collisions were found in 1996. Even though, it's still widely used by webmasters. Plain MD5 is actually one of the worst and unsecure way to store passwords, just after plaintext of course. If you actually store MD5 on your database, and don't want to recode your password scheme to use better password hashing techniques, you can add a salt. The salt is a random string that will be added to the user's password. this will make online database (rainbow tables and hash tables) as ours useless because we would have to recalculate every password with the salt. You could for instance rehash every password entry in your database by adding the salt to the user's password. For instance if your user's MD5 password is the one we hashed before :



Password : dc647eb65e6711e155375218212b3964

You want to add a salt. For instance a 128-bits salt (which is a minimum) : 4*;df-A4+#1q:eD7
If we add this salt to the user's MD5 on the database it gives us this hash :

4*;df-A4+#1q:eD7dc647eb65e6711e155375218212b3964 : 7ff41d989745f57784e50d3e1630490a

Now when an user wants to log on your website, you just have to hash its password, add your random salt to it, then re-hash the concatenate string, and check if it's the same MD5 that you stored. You can also use a pepper, which is a database-wide string that you add on top of the salted password.


The better way though to store passwords nowadays is through slow hashing algorithm such as Bcrypt or Blowfish which were created to slow down bruteforce techniques as you can set the number of iterations. Also there's an automatic salt that is added to the password.

Statistics

We found 43855150 hashes since 2015, with a global crack rate of 58.38%.