Hi Guys! Until yesterday I was under an impression that MD5 hashes cannot be reversed and is thus secured but then I found this site http://www.md5decryption.com/ which actually reverses your MD5 hash value, I was like WTF. I am sure there are other sites that can decrypt other hash functions like sha1, tiger160, sha256 etc. Please share your views about it? Thanks
These sites just have large databases of the md5 hashes of common strings. They're not really decoding it (that's not possible since there are multiple possible inputs for every md5 hash), just providing a tool for dictionary attacks.
ok I have a question in my mind what if its an 10 character alphanumeric password and the attack is a brute force attack? Then how much time will it take to recover the password using a modern PC?
since its a quadratic function, simply increasing the length by a few characters will take a while. quite a while, there's a hell of a lot of combinations its 36^10 (3,600,000,000,000,000) combinations. If you're worried about decryption bear in mind they might have the MD5 for 'rabbit' but not n7sns}{383_rabbit, so just salt all your passwords.
generate a random string when the user signs up, store it as the salt then when the user logs in check to see if the salt combined with the password enters matches the password! so password is '6436d1797416c4ad0a479dfc584ee999' which is jd84napples md5 encrypted store the salt as jd84 then when the user logs in see if the salt and the text entered is the password! so i enter pears it sees if my password is md5(jd84pears) and no its not. if i enter apples md5(jd84apples) and yes it is!
Get user's password, generate a fixed length salt . Combine md5 hash of password with salt, then rehash it. Store the new hash and the salt in db. User enter the password, instead of sending password, send the md5, so it is safe from hacker. Second combine with salt found in username, rehash it and compare with stored hased If match, login else invalid user !
MD5 is considered insecure since there have been various papers (and code) that have demonstrated collisions.
they have two websites.. one to encrypt and one to decrypt.. so watever people encrypt using their website they store in a databse and use them to decrypt strings.