MD5 is not unique (Security Theory)

Michael James Swan's picture

He has: 400 posts

Joined: May 2008

For a little while now; i have had a theory on how to decrypt any MD5 hash that has ever been generated.

My theory still stands to undergo "complete" testing; which could take months (depending on computer equipment/computer network) but i would love to see what everyone here thinks of the theory and also kindly ask that if you like it; then please DIGG IT... :0

The Theory
The MD5 hash that is created using the MD5 algorithm is not actually unique.

In a sense each hash created using the aforementioned algorithm is unique and “cannot be decrypted”; but using a “reverse technique” you can decrypt any hash that has been created using MD5.

In order to decrypt an MD5 hash, you will need to already know what the MD5 hash was before it was created.

Regards,
Michael James Swan

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

Now your request for the password generator makes more sense Smiling

-Greg

Michael James Swan's picture

He has: 400 posts

Joined: May 2008

Greg K wrote:
Now your request for the password generator makes more sense Smiling

-Greg

YARP- To test the theory.

Not to hack into some bank or anything stupid. I had a theory; and i wanted to test it.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

Quote:
So what’s the point in decrypting something which you already know the answer to?

It's a means of verification, and there is no decrypting. It's a one-way hash, you you can't decrypt it. All you do is run the provided password through the MD5 algorithm and see if it matches the hash you already know. If it matches, then the password was correct. Otherwise, the provided password was wrong.

Yes, you can say that it is not "unique". If you md5 an entire iso image for means of data verification, then yes, there is the chance arranging the bits in a different way such that the same md5 is created, but the probability is ~nil.

Other than that, I'm not really following the article. It seems that you don't quite understand the concept. I'm curious...in the websites you have developed, how do you store users' account passwords?

Michael James Swan's picture

He has: 400 posts

Joined: May 2008

pr0gr4mm3r wrote:
Quote:
So what’s the point in decrypting something which you already know the answer to?

It's a means of verification, and there is no decrypting. It's a one-way hash, you you can't decrypt it. All you do is run the provided password through the MD5 algorithm and see if it matches the hash you already know.

Correct! - BUT...
You are not going to know every single MD5 Hash that is within "your database"; so you cannot just verify something; that you "do not know"; thus meaning that to search through "the database" and find a match to a MD5 Hash that you did not know is Decrypting.

>>>>>>>>>>>>>>>>>>>>>>>>>>>> In regards to the security of websites, etc...

MD5 is used within Wordpress; Yes... Which is why MD5 should be considered "no longer" secure... But; it would take a VERY POWER COMPUTER & LOTS OF HDD Space in order to create the databases required to "decrypt" any MD5 Hash.

Regards,
Michael Swan

greg's picture

He has: 1,581 posts

Joined: Nov 2005

To get the password you need to know the MD5 hash to start looking for it.

Then to find the original (unhashed) password, you either:
- run software that hashes each possible letter/word permutation and checks each result against its hash
- check your hash against an already created database that contains text and the text hashed to find a match

such databases exist (rainbow table), but of course are not in any way exhaustive as there are 50,000 words in the English language, after that letters and numbers (and even other chars as potentials) in permutations are immense.
Which is why so many people now insist on upper/lower case alpha numeric to stop simple passwords that are found in rainbow tables.

So, as getting the hash would mean access to the database, and then a HUGE arduous task to crack it, it's a lot of work.
Importantly, if you have already accessed the DB then the work cracking passwords is likely pointless as you can do more damage or access all data you want, or change passwords etc by having DB access.

So the MD5 is "a secure method with all things considered".

There are other algos like sha, but adding your own in house salting makes it more secure and rainbow tables are very unlikely to have them.
Permutation software will still find them, but as the salt key will be random (i.e. GH65Ji8 etc) it will take a super computer a long time to find.
All not worth people's time unless it's a bank or gov site, and then other security is in place anyway.

So for general purposes, MD5 is pretty much secure enough.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.