As all of us already knows that MD5 (message digest) is one-way digest algorithm. It means we can’t get the original string back once it gets digested/hashed. Really…?
Can we decrypt the md5ed hashes? ummm….. Yes!
Let’s see how to get back the original string from the md5 hashes.
It is a very straightforward approach to get back the original string from the MD5ed hash known as Reverse Lookup. (aka brute-force)
As MD5 always generate the same hashed key for the same input string.
If we create a mapped database between original string and md5ed hashed key of the strings(all possible characters of the desired length of string and their permutations) as shown in the below table. Then, at last, we will have a database of all the possible strings and their relative hashed keys.
Now, if we want to know the original string from md5 hashed key then we search the database for that hash key instead of the original string
If we create a database of all possible original string by permutating their character sequence. Then finally, we will have the hash key of every string. So, we can search for any particular hash key to decrypt.
Since it will take a lot of computation and also a lot of storage to maintain this mapped database, Instead of that we can use the online md5 decrypting website like md5decrypt.net based on the same technique.
Now the question arises, Is MD5 secure enough to use in the process of storing any important data such as password, OTP etc?
Yes, but with the appropriate salt, Using the md5 for storing critical data such as password and OTP in the database without appropriate salt is not recommendable and md5 should not be used without salt because:
- md5 doesn’t have any internal salt creation mechanism as some other hashing algorithm such as BCrypt(based on Blowfish Cipher) has.
- it is very easy to get the original string (password/OTP) from the md5 hashed key for simple password or OTP
How salt plays its role:
MD5 is a hashing function it means we are using it where we have to authenticate something in future and also at that point we are not interested in the original string while authenticating. We only want to confirm that the current string(user entered value) is the same string for which we stored the hashed key. Means we are hashing again the user entered password/OTP and matching it against the stored hashed key.
So we can use a strong salt and append it to the original string while creating the hash key to store in the database, Eg:
$hashedKey = md5(_SALT1_.$password._SALT2_); // save this $hashedKey in the database
Next time when the user enters his password then use the same salt to create the hash and check it against the stored hashed key.
Try to make longer salts so that it will be so difficult to break the resulted hash key by brute-force.
Also If you are not working on the open-source platform/product/software. Then, you can use your logic to make it unbreakable for the hacker to get the real password/OTP. (Even after getting the database hacked) Eg:
$hashedKey = md5(_SALT1_.($otp*2.5)._SALT2_); // save this $hashedKey in the database and use the same process to create hash while authenticating
Thanks for Reading!!