MD5, speaking in popular language, is a single-path hash .
There is no information to reverse the hash to the original value.
Several websites offer solutions to "reverse" the hash a few years ago and this causes some confusion because anyone who does not understand the subject eventually believes that MD5 is reversible. What these sites offer is called rainbow table . The technique consists of the same logic as a
force .
Rainbow tables are just a database containing strings and their values in MD5.
This scheme works only for hashes without a "jump".
The logic is simple. A script automatically generates, in an "infinite loop," all kinds of possible character combinations. Within this loop repetition, the MD5 hash of that combination is also generated and saved in a database, which has a nickname known as "rainbow table".
Currently, several sites guarantee to have combinations of 5 full characters and almost completing 6 characters.
To understand better, see an example of the logic involved:
Combinations of size 1 characters and their MD5
a -> 0cc175b9c0f1b6a831c399e269772661
b -> 92eb5ffee6ae2fec3ad71c777531578f
c -> 4a8a08f09d37b73795649038408b5f33
And so it goes on until it generates the MD5 of all character types, including multibyte numbers and characters
あ -> 8c0c3027e3cfc3d644caab3847a505b0
い -> 655dcb0e6519c34baf6d9d53e1932389
う -> 31e55ff7f86aaee740277059a9983d89
□ -> 8c8586b6fb99a8815eeec4ea97e6222d
It seems easy to generate hashes, however, you have to create the combinations.
Here is an example of size 2:
ab -> 187ef4436122d1cc2f40dc2b92f0eba0
ac -> e2075474294983e013ee4dd2201c7a73
ba -> 07159c47ee1b19ae4fb9c40d480856c4
bc -> 5360af35bde9ebd8f01f492dc059593c
ca -> 5435c69ed3bcc5b2e4d580e393e373d3
cb -> d0d7fdb6977b26929fb68c6083c0b439
So far it seems easy, but imagine 5 combinations. How many possible combinations are there in 5 houses?
abcde -> ab56b4d92b40713acc5af89985d4b786
acbde -> e0e56a95aff0ee48fc44e8a4faf69adb
adbce -> a44a7eb2135809f67ce273e0de8b52cb
Even with size 5, it does not seem difficult if you only deal with Roman alphabet and numbers, but remember that you should also include special / multibyte characters. At that point the combinations go from trillions of records.
How do these sites return the value of a hash?
Only querying the database.
select original from rainbowtable where hash = 'ab56b4d92b40713acc5af89985d4b786'
This would return "abcde" if it has already been previously saved in the database.
Therefore, it is recommended to avoid short passwords, less than 6 characters and also passwords containing simple characters.
Simple password example, where, of course, rainbow tables sites already have their hashes:
abc
111
123
abc123
senha
passord
user
admin
123456
111111
When creating a password, try to do at least something like this:
j&SCjV:Kd#A!6VN7x=eY
Mix special characters, uppercase and lowercase letters, numbers. Finally, the larger and more complex the smaller the possibility of existing in a rainbow table or being broken by brute force .
Password Recovery
It should be possible to retrieve this MD5 in the database and display "password" from
back in an information update form, do not you?
A website that returns the original password to the user is unsafe. When you find a site that does this, avoid using it if you have important information, especially financial transactions.
A website that can see the password entered by the user, violates privacy and basic security standards because even a hosting server administrator or the site programmer can be malicious and obtain the passwords of the users.
An aggravating factor in this is that most users use the same password for everything. Email services, social networking accounts, even a credit card password.
That is, if you can get the password, you will have the passport for almost all or all of the accounts that this user has on third party services.
The same 1234 password, which is used on facebook, also uses credit card, debit card, email and various services. Unfortunately the user relinquishes his own security for "practicality".
(The term * facebook is a simple example. Of course facebook does not allow such a password)
At this point comes the responsibility of service providers to force the user to create complex passwords. The complexity depends on the service business model.
Final note , there are also raibow tables from other hashes such as sha1, des, crypt16, among others.