Insert your MD5 hash here:
Answer :
This decrypter can manage up to 5 character encrypted words. Those words can include numbers, and first capitalized letter. No symbols, unfortunately :( but I will work on it, and may-be some day in the future I will improve it.
Right now it contains 107 111 510 different combinations. Database size 1,4 GB.
Example words that can be decrypted: Jess2, m2ryy, Mark5, Pass0, 62853 etc.
UPDATE! Found error, database misses five letter combinations that end with "a". No worries, it is only 0,06% of this database.
What is MD5?
MD5 (Message-Digest Algorithm).
Simply put, it is a method that is used to
secure your password that is sent over Internet.
It takes your password or passphrase that you
register at some site and makes it into single line of numbers and some
letters. This process is called hashing and lines that are generated are called
hashes (obviously inventors of cryptography were potheads).
Letters and numbers that are used:
1234567890abcdef. Length of a single hash is 32 characters.
It is something similar to ciphering a
messages – for example if we take word “password” and replace p-5 , a – f, s –
o , w – q , o – 9 , r – z , d – j. And so “password” will become “5fooq9zj”.
Although “5fooq9zj” seem to be quite secure, it gives away a length of your
password, now all what attacker has to do is check this combination to
dictionary words that are 8 characters long and have identical letters at third
and fourth positions. It will take only couple of minutes or even seconds to
crack your password or passphrase. In fact he/she doesn’t even need any script
to crack that – it is possible to crack just by using spreadsheet with dictionary
words sorted by length.
Much like cipher, MD5 replaces characters of
password/passphrase, but it replaces your characters only to characters in range
of 1234567890abcdef (called hexadecimal system, hexadeca stands for 16 in
Greek). And it makes all your encrypted messages 32 characters long.
MD5 doesn’t care how long your password or
passphrase is, it always generates encrypted message that is 32 characters
long, for example let’s encrypt one password and one passphrase:
abc123 - e99a18c428cb38d5f260853678922e03
fat
cat sat on the porch and was drunk - 8477a3363494820f68cf07e67538255e
Both hashes are 32 chars long.
There are finite number of different hashes.
To be specific there are 16 to the power of 32 possible different combinations
of MD5 hashes. As a number it is:
340 282 366 920 938 000 000 000 000 000 000 000 000 different combinations
By long and long computation, cryptographers
have found some “collisions” of MD5 hash, simply put it means that sometimes
two different encrypted words may be represented under same hash. It doesn’t
make your password useless when you log-in, all it does is that your account
may be opened not only by your password but with some other word (combination)
as well. It took years to compute that by cryptographers, the possibility of
that happening to you is so low, that you should not worry about that.
What is
salt?
Salt is a method when you take your generated
hash and encrypt it multiple times.
For example let’s take a word “password”.
Encrypted once we get: 5f4dcc3b5aa765d61d8327deb882cf99
Now let’s
take this same hash (that newly generated 32 chars), and put it into encryption
once more, we get: 696d29e0940a4957748fe3fc9efd22a3
Let’s do it
jet another time: 5a22e6c339c96c9c0513a46e44c39683
You can do
so an infinite number of times.
This method
increases security of a password, because after getting into database and
obtaining a hashed passwords list, attacker now has to figure out how many
times this encrypted hash has been salted. It will take him/her from couple of
hours or up to several days to figure out that, it will not entirely secure
passwords or passphrases form being hacked, but it is highly recommended to be
used.
What is a rainbow table?
Rainbow
table is a collection of pre-calculated hashes. It is used to decrypt hashes.
Example
table (for abc attack):
Password
|
Hash
|
a
|
0cc175b9c0f1b6a831c399e269772661
|
b
|
92eb5ffee6ae2fec3ad71c777531578f
|
c
|
4a8a08f09d37b73795649038408b5f33
|
…
|
|
aab
|
e62595ee98b585153dac87ce1ab69c3c
|
…
|
|
And so on…
|
Example
table (for dictionary attack):
Password
|
Hash
|
123456
|
e10adc3949ba59abbe56e057f20f883e
|
abc123
|
e99a18c428cb38d5f260853678922e03
|
abcdef
|
e80b5017098950fc58aad83c8c14978e
|
password
|
5f4dcc3b5aa765d61d8327deb882cf99
|
qwerty
|
d8578edf8458ce06fbc5bb76a58c5ca4
|
…
|
|
And so on…
|
The size of
a rainbow table is limited by the size of HDD where it is kept. As there are 32
characters in one hash it means it takes 32 bites per one hash. So if for
example we would like to make a rainbow table that will help us crack small six lower case character passwords
(number of combinations 308 915 776 see Brute force attack time table ), we
would need a HDD with available space of 9,8 GB, what is absolutely easy to
achieve nowadays. If we would take six
character password with upper and lower letters, all numbers and some common
symbols (number of combinations 139 314 069 504 see Brute force attack time table) it
would still be achievable, as 4.45 TB sized HDD would be needed. So what this
all tells you about length of your password? Exactly, it is better to use
passphrase.
How it all works?
Registration:
1. Input field
|
2. MD5
encryption
|
3. Sending
|
4. Saving in
server
|
You type your password or passphrase to
registration form. For example you type “abc123” as your password
|
MD5 algorithm makes “abc123” to
“e99a18c428cb38
d5f26085367892
2e03”
|
Your computer sends your user name and
encrypted password “e99a18c428c
b38d5f260853678922e03” to server of the
site.
|
Server saves your user name and
encrypted password “e99a18c428c
b38d5f260853678922e03” to database.
|
Log in:
1. Input field
|
2. MD5
encryption
|
3. Sending
|
4. In server
|
5. Match made
|
You type your password or passphrase to
log-in form. For example you type “abc123” as your password
|
MD5 algorithm makes “abc123” to
“e99a18c428cb38
d5f26085367892
2e03”
|
Your computer sends your user name and
encrypted password “e99a18c428c
b38d5f260853678922e03” to server of the
site.
|
Server checks your user name and
password in database, it finds that your password “e99a18c428c
b38d5f260853678922e03” is matching the
one in database.
|
As your sent encrypted password matches
one that server got from database, means that it’s OK to send you information
form server. Otherwise server will send notification that your password or
user name is wrong.
|
Now when
someone would attack that server or wiretaps line between your computer and
server, all he would get is your hashed password:
“e99a18c428cb38d5f260853678922e03”
He/she would
have to start cracking that hash or check it in pre-calculated rainbow table.
This example password “abc123” will be cracked in a matter of milliseconds, but
larger and more complex passwords i.e. passphrases will be a lot harder to
crack.
And when pass is salted?
When pass is salted it tastes a lot better
Registration:
1. Input field
|
2. MD5
encryption repeated n times
|
3. Sending
|
4. Saving in
server
|
You type your password or passphrase to
registration form. For example you type “abc123” as your password
|
MD5 algorithm makes “abc123” to
“e99a18c428cb38
d5f26085367892
2e03” and then this encryption is
encrypted again and again n times.
|
Your computer sends your user name and n
times encrypted password to server of the site.
|
Server saves your user name and n times
encrypted password to database.
|
Log in:
1. Input field
|
2. MD5
encryption repeated n times
|
3. Sending
|
4. In server
|
5. Match made
|
You type your password or passphrase to
log-in form. For example you type “abc123” as your password
|
MD5 algorithm makes “abc123” to
“e99a18c428cb38
d5f26085367892
2e03” and then this encryption is
encrypted again and again n times.
|
Your computer sends your user name and n
times encrypted password to server of the site.
|
Server checks your user name and
password in database, it finds that your n times encrypted password is
matching the one in database.
|
As your sent n times encrypted password
matches one that server got from database, means that it’s OK to send you
information form server. Otherwise server will send notification that your
password or user name is wrong.
|
Now attacker
receives different hash then before. For example triple encrypted pass
“abc123”:
80e380bb24647ada593f44e60a806b63
First, attacker will try to crack it as it would be simple, single
encrypted password. He/she will not succeed in that. So he/she has two
possibilities: 1. This password is too long or uses too complex
characters to be cracked or 2. It is multiple encrypted. At that point
some attackers would go for the first one and in progress lose a lot of
time. The ones who choose second option, will go to website that they
attacked and register new account. Into user name field they write for
example “user114” and into password registration field they will type
for example “aaaaaa” and as they send that information to server they
can, with proper software, track what information is sent from their
computer. They will receive information like their user name “user114”and
encrypted password like “b6b3f5c1398b1ad19aa4c773ec1ba8b6” so now all
they have to do is encrypt their password “aaaaaa” multiple times and
find how many times that site is encrypting their passwords. How many
times “aaaaaa” was encrypted?
Thank you so much for sharing this decrypter. You have also provided a rich amount of detail to explain all about md5 algorithm. I will recommend this widget to all my friends too.
ReplyDeleteelectronic signature software