Can a website be used as the MD5 Hash Cracker?
I have heard that hashing, such as MD5, is one-way and cannot be cracked. But there are some websites that can decrypt hash, like www.md5hashing.net and some scripts like findmyhash.py. I tested some hash and it was cracked successfully. Why can it do so?
I read on the website that MD5 is a 128-bit encryption algorithm, which generates a hexadecimal hash of 32 characters, regardless of the input word size.
This algorithm is not reversible, it's normally impossible to find the original word from the MD5.
Our tool uses a huge database in order to have the best chance of cracking the original word.
Just enter the hash in the MD5 decoder in the form above to try to decrypt it!
Hashes can be cracked using brute forcing. That means that you test hashing every possible input until you find one that generates the right output. To stop the MD5 hash cracker, a hash function used for password storage or key derivation needs to be deliberately slow (so that testing a lot of inputs take a very long time).
A site like the one you mention can also store a big list of known pairs of common inputs and outputs. Therefore they don't need to do a brute force every time someone sends them a hash to crack - they just need to look it up in the table. To stop this you use a salt (so that even a common password gets an unique hash).
You will note that they do not know the value of all hashes, just common ones. An example:
5f4dcc3b5aa765d61d8327deb882cf99 is correctly reversed to password, because that is in their database.
039c004d00c02a193144e96b3e8aa4ba can not be reversed to the random string tUGPP*yq24p+EgpQ that I just generated, because they can not fit all billions of possible random strings into their database.
So how do you protect yourself against sites like this? Use a slow hashing algorithm and a salt.