What is MD5?

MD5 is a technique for generating a code a hash. It is a code that seeks to fetch a unique representation of an information (there is no guarantee that it will not have collisions - same code for two different information). It is not made to encrypt information. This must have already become clear according to what has already been said here in comments and answers. This is used to create a difficulty in accessing the data.

The problem with MD5 is that it is possible to break his security. It is not a simple thing to do but is possible . If you really want to do this, it is good to prepare yourself not only to study the subject a lot but also to be willing to achieve what you want. Breaking security is not the same as discovering your original content.

MD5 to protect passwords

There is no reason to reverse a password encoding other than to do something illegal. If you are wanting to break a password you it can (even on your systems, in every way) break a password can be illegal. If you lost the password, create another one, do not try to find out what the password was.

If you just want to compare to know if the password sent to the system is valid then you should apply the hash MD5 on it and compare the two hashes. Either way using simply pure MD5 is not good practice (read the link above).

Reversible encryption

If you need to encrypt something that depends on rollback, decryption, for some reason, you should use an algorithm that allows this ( symmetric encryption ). Of course, such an algorithm has its shortcomings in terms of security. Reversible algorithms have the basis of security by hiding the encryption key. If someone has the key, the encryption is compromised. Then the problem happens to be to protect the key well. But as far as I know no one has managed a better way of solve this problem.

In cases where this is important it is common to use complementary keys to perform the operation. This is used in encryption for content encoding and communication as used in SSL, file encryption and pay TV channels (asymmetric encryption).

In some cases the key may change frequently making its discovery and use more difficult. When someone discovers the key it is no longer used. Obviously this is more useful in unstable content (TV broadcast for example). It is possible to apply to a file on disk but it takes work to do this in a minimally safe way.

Conclusion

Breaking security often uses several techniques together. And the most used is the social engineering , is to use the 171 (origin of the popular term) to get what you want. Humans are much easier to dribble than equipment, which math.

Try using this .

MD5, speaking in a popular language, is a single-way hash.

There is no information to revert the hash to the original value.

For a few years, several websites offer solutions to "reverse" the hash and this causes a certain confusion because those who do not understand the subject end up believing that MD5 is reversible. What these sites offer is the so-called rainbow table. The technique consists of the same logic as a " raw force'.

The rainbow tables are only databases containing strings and their respective values in MD5.

This scheme works only for hashes without"jumping".

The logic is simple. A script automatically generates, in an" infinite loop", all kinds of combinations of characters possible. Within this repeating loop, the MD5 hash of this combination is also generated and saved in a database, which has a pseudonym known as " rainbow table".

Currently, several sites guarantee to have combinations of 5 full characters and almost completing 6 characters.

To better understand, see an example of the logic involved:

Combinations of characters of size 1 and their respective MD5

 a -> 0cc175b9c0f1b6a831c399e269772661
 b -> 92eb5ffee6ae2fec3ad71c777531578f
 c -> 4a8a08f09d37b73795649038408b5f33

And so it goes on until it generates the MD5 of all types of characters, including numbers and multibyte characters

あ -> 8c0c3027e3cfc3d644caab3847a505b0
い -> 655dcb0e6519c34baf6d9d53e1932389
う -> 31e55ff7f86aaee740277059a9983d89
□ -> 8c8586b6fb99a8815eeec4ea97e6222d

It seems easy to generate the hashes, but you need to create the combinations. Here we have an example of size 2:

ab -> 187ef4436122d1cc2f40dc2b92f0eba0
ac -> e2075474294983e013ee4dd2201c7a73
ba -> 07159c47ee1b19ae4fb9c40d480856c4
bc -> 5360af35bde9ebd8f01f492dc059593c
ca -> 5435c69ed3bcc5b2e4d580e393e373d3
cb -> d0d7fdb6977b26929fb68c6083c0b439

So far seems easy, but imagine 5 combinations. How many possible combinations are there in 5 houses?

abcde -> ab56b4d92b40713acc5af89985d4b786
acbde -> e0e56a95aff0ee48fc44e8a4faf69adb
adbce -> a44a7eb2135809f67ce273e0de8b52cb

Even with size 5, it does not seem difficult if we only deal with Roman alphabet and numbers, but remember that one should also include special/multibyte characters. At this point the combinations pass trillions of records.

How do these sites return the value of a hash?

Just querying in the database.

select original from rainbowtable where hash = 'ab56b4d92b40713acc5af89985d4b786'

This would return "abcde", if it is already previously saved in the database.

Therefore, it is recommended to avoid short passwords, smaller than 6 characters, and also passwords containing simple characters.

Simple Password example, where obviously rainbow tables sites already have their hashes:

abc
111
123
abc123
senha
passord
user
admin
123456
111111

When creating a password, try to do at least something like this:

j&SCjV:Kd#A!6VN7x=eY

Mixture special characters, uppercase and lowercase letters, numbers. Finally, the larger and more complex, the less likely it is to exist in a rainbow tableor be broken by brute force.

Password Recovery

It should be possible to retrieve this MD5 in the bank and show" password " of back on an information update form, right?

A website that returns the original password to the user, is insecure. When finding a site that does this, avoid using it if you have important information, especially financial transactions.

A website that can see the password entered by the user, hurts privacy and basic security rules because even a hosting server administrator or the site programmer can be malicious and get the passwords of users.

An aggravating factor in this is that most users use the same password for everything. Email services, email accounts social networks, even credit card password.

That is, if you get the password, you will have the passport for almost all or all of the accounts that this user has on third-party services.

The same password 1234, which is used on facebook, also uses on credit card, debit card, email and various services. Unfortunately the user gives up his own security for "practicality".

(the term *facebook is a mere example. Obviously facebook does not allow a password of these)

At this point comes the responsibility of service providers to force the user to create complex passwords. Complexity depends on the business model of the service.

Final note , There is also raibow tables of other hashes such as sha1, des, crypt16, among others.

When you encrypt a password and write to the database you do not need to decrypt to know if it is correct. You must encrypt the one that was told at the time of authentication and compare with the one that was written to the database.

select * 
from user 
where usuario = usuario_informado 
and senha = md5(senha_informada)