Request Quote

Decrypting MD5 hashes by Reverse Lookup/Brute Force

As all of us already knows that MD5 (message digest) is one-way digest algorithm. It means we can’t get the original string back once it gets digested/hashed. Really…?

Can we decrypt the md5ed hashes?     ummm….. Yes!

Let’s see how to get back the original string from the md5 hashes.

It is a very straightforward approach to get back the original string from the MD5ed hash known as Reverse Lookup. (aka brute-force)

As MD5 always generate the same hashed key for the same input string.

If we create a mapped database between original string and md5ed hashed key of the strings(all possible characters of the desired length of string and their permutations) as shown in the below table. Then, at last, we will have a database of all the possible strings and their relative hashed keys.

Now, if we want to know the original string from md5 hashed key then we search the database for that hash key instead of the original string

For example:


hash_key original_string
02ffa6505a9717c36292cd9bf76972fc qwerty@12345
6d0952a65f2fcf9fa553a8956414e596 md5decrypt
f68e2a0caa1d7bc2d30ddcb5db33e9d4 simplep@ssw0rd
c633a43739df88f9280e89d001ed69e9 anycommonstring


If we create a database of all possible original string by permutating their character sequence. Then finally, we will have the hash key of every string. So, we can search for any particular hash key to decrypt.

Since it will take a lot of computation and also a lot of storage to maintain this mapped database, Instead of that we can use the online md5 decrypting website like based on the same technique.


Now the question arises, Is MD5 secure enough to use in the process of storing any important data such as password, OTP etc?

Yes, but with the appropriate salt, Using the md5 for storing critical data such as password and OTP in the database without appropriate salt is not recommendable and md5 should not be used without salt because:

  • md5 doesn’t have any internal salt creation mechanism as some other hashing algorithm such as BCrypt(based on Blowfish Cipher) has.
  • it is very easy to get the original string (password/OTP) from the md5 hashed key for simple password or OTP

How salt plays its role:

MD5 is a hashing function it means we are using it where we have to authenticate something in future and also at that point we are not interested in the original string while authenticating. We only want to confirm that the current string(user entered value) is the same string for which we stored the hashed key. Means we are hashing again the user entered password/OTP and matching it against the stored hashed key.

So we can use a strong salt and append it to the original string while creating the hash key to store in the database, Eg:

$hashedKey = md5(_SALT1_.$password._SALT2_); // save this $hashedKey in the database

Next time when the user enters his password then use the same salt to create the hash and check it against the stored hashed key.

Try to make longer salts so that it will be so difficult to break the resulted hash key by brute-force.

Also If you are not working on the open-source platform/product/software. Then, you can use your logic to make it unbreakable for the hacker to get the real password/OTP. (Even after getting the database hacked) Eg:

$hashedKey = md5(_SALT1_.($otp*2.5)._SALT2_); // save this $hashedKey in the database and use the same process to create hash while authenticating

Thanks for Reading!!

. . .

Comments (2)

Add Your Comment

  • md5
    Md5 can not be descrypted, but it can be lookup in a key-value dictionary. is such a website.
    • Suraj Kumar
      Yes you are right, same as described in this article
  • css.php
    Hire Us!
    Brief us about your requirements and we'll get back to you.
    Woo! Hooy!
    We have just recieved your project brief and our expert will contact you shortly.
    Send Again