1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

md5 is reversible!!

Discussion in 'Security' started by clades, Mar 27, 2009.

  1. #1
    I thought md5 was 1-way encryption but today i visited a website and got shocked how easily it is to reverse it...i just clicked the button and the original string appeared. (probably the site has a generous md5 key database)
    SEMrush
    omg..thats all i've used up to now...

    What should i use then?
     
    clades, Mar 27, 2009 IP
    SEMrush
  2. baonhi41

    baonhi41 Peon

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    That is not decode, only dictionary. Most famous is http://gdataonline.com with more than 1,133,761,543 words.
    To anti that, use alphabets + digist + some special in your password and length of password. Ex: Kara)$oke12
    Hard to discover
     
    baonhi41, Mar 27, 2009 IP
  3. jestep

    jestep Prominent Member Premium Member

    Messages:
    3,661
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #3
    It's called a rainbow table. MD5 is irreversable, but if someone has a database of enough known hashes the standard function can become useless. To get around this, always add a salt to your hashes. This can be something static like:

    MD5(string_to_hash . hu7f889r4hfioewr)

    or can be something dynamic like:

    MD5(string_to_hash . hsah_ot_gnirts)

    Either way makes a cracking table useless.
     
    jestep, Mar 27, 2009 IP
  4. clades

    clades Peon

    Messages:
    579
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #4
    yay good idea :D
     
    clades, Mar 27, 2009 IP
  5. baonhi41

    baonhi41 Peon

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    OR MD5(base64_encode("YOUR_REAL_PASSWORD"))

    Because MD5("YOUR_REAL_PASSWORD") is easier than MD5(base64_encode("YOUR_REAL_PASSWORD"))
     
    baonhi41, Mar 27, 2009 IP
  6. jackio

    jackio Banned

    Messages:
    490
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Best way to hash passwords is to give it a little salt!
    For example:
    sha1(md5(md5($password)+$registrationdate)+$salt);

    Just making it harder to get :)
     
    jackio, Apr 18, 2009 IP
  7. pitagora

    pitagora Peon

    Messages:
    248
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #7
    simply use salt. Salted hashes are terribly hard to crack considering you can't use rainbow tables
     
    pitagora, Apr 25, 2009 IP
  8. yah0m

    yah0m Peon

    Messages:
    90
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    sha-1+salt is the new md5 imo... i dont know why we still use md5's
     
    yah0m, May 11, 2009 IP
  9. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Ladadadada, May 16, 2009 IP
  10. pitagora

    pitagora Peon

    Messages:
    248
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #10
    if the attacker knows you are doing this then there is no difference is security. base64 is easy to calculate and consume very little cpu time in comparison with md5
     
    pitagora, May 27, 2009 IP
  11. justdoit1

    justdoit1 Peon

    Messages:
    100
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Here's what we should do:

    actual password = server_salt + user_password);

    The server_salt will be kept outside of the root directory of server or authenticaion server on DMZ.

    In this way, even if attacker can obtain user password through SQL injection, he won't be able to login because he wouldn't know the actual password.

    With SQL injection, he can only know the password hash, which is a combination of server_salt + user_password.

    To be able to crack, he must know server hash. We must also disable mysql-loadfile=0 in my.cnf.
     
    justdoit1, May 27, 2009 IP
  12. Bohra

    Bohra Prominent Member

    Messages:
    12,579
    Likes Received:
    537
    Best Answers:
    0
    Trophy Points:
    310
    #12
    Yea its not actually reversable they are creating a datbaese by entering words
     
    Bohra, May 30, 2009 IP
  13. liammarksmith

    liammarksmith Peon

    Messages:
    14
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #13
    MD5 as said above can not be decoded,

    What they have done is probably got a database full of words, looped them running through md5, and attached the md5 string to that word

    Then you query the database looking for your md5 string and bang if a match has been found your returned with the original. You can decode any encryption this way, even if you need a string to decode it like crypt.
     
    liammarksmith, May 30, 2009 IP
  14. jestep

    jestep Prominent Member Premium Member

    Messages:
    3,661
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #14
    One thing to remember is that with crypt or any reversible encryption, if the key is known, then anything encrypted is known. With a hash like md5, sha1, there is no reversal, so if someone matches one hash, it takes the same amount of time, or more, to match even a single other. This is one of the reasons why hashing is a better idea for passwords.

    Just adding a random string of 7 or 8 characters as a salt will completely negate any cracking table.
     
    jestep, May 30, 2009 IP
  15. sadiqsaad

    sadiqsaad Peon

    Messages:
    406
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #15
    Its breakable, and guess what using PS3. Search google for more info.
     
    sadiqsaad, Jun 6, 2009 IP
  16. Bohra

    Bohra Prominent Member

    Messages:
    12,579
    Likes Received:
    537
    Best Answers:
    0
    Trophy Points:
    310
    #16
    Bohra, Jun 6, 2009 IP
  17. Matthew Sayle

    Matthew Sayle Prominent Member

    Messages:
    3,272
    Likes Received:
    450
    Best Answers:
    1
    Trophy Points:
    385
    Digital Goods:
    1
    #17
    The cool thing is, you can change your Wordpress password via phpmyadmin and when you login again it automatically adds the salt.

    So you can use a standard md5 Hash encrypter to generate new WP passwords without worrying about the salt.
     
    Matthew Sayle, Jul 5, 2015 IP
  18. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,630
    Likes Received:
    724
    Best Answers:
    152
    Trophy Points:
    470
    #18
    Wait, what? How in the world of all that is holy is that considered "safe" in any way? If anyone can redo the password with a simple MD5hasher, and then login and get any type of security (yeah, right) generated for them on login, what's from stopping anyone from doing this? All they'd need is access to the database (which, given that it's Wordpress, isn't that hard to get) and then insert the new password on say the user-accounts with an id of less than 20 - the chances of one of those being an admin-account is pretty big. If they don't need to know neither the salt nor the type of encryption in use, that makes for a HUGE security hole. (At least if that wasn't the case, even if they get hold of the database, there's no way for them to access the account, simply because they can't decipher the password stored).
     
    PoPSiCLe, Jul 6, 2015 IP