I can decrypt MD5

**Colin F** · Thu 7 Sep '06, 4:49am

You're not decrypting, what you have is called rainbow tables

And just before anyone asks, vBulletins passwords are not affected by this, because they're hashed twice and salted.

**Zonex** · Thu 7 Sep '06, 4:52am

you sure your not just looking at an md5 database? http://md5.rednoize.com/

**Dean C** · Thu 7 Sep '06, 5:22am

Originally posted by Zonex

you sure your not just looking at an md5 database? http://md5.rednoize.com/

Indeed

**dreamer81** · Thu 7 Sep '06, 8:04am

Originally posted by Zonex

you sure your not just looking at an md5 database? http://md5.rednoize.com/

yeah Im sure
that database doesn't hold as many md5 hashes that i can decrypt

**filburt1** · Thu 7 Sep '06, 8:18am

You can't "decrypt" anything because MD5 hashes aren't "encrypted" forms of anything. And if they were, there would need to be certificate data, which you don't have. You're just guessing at common passwords.

**Marco van Herwaarden** · Thu 7 Sep '06, 9:10am

Like filburt also mentioned, MD5 is not an encryption, but a hash. The difference between these 2 is that with an encryption-algorythm it is a 2way process encrypt<->decrypt. With a hash this is a 1-way process, there is no decryption possible.

The only way to guess (you can never be sure, since 2 different originals could lead to the same hash) the original of a hash is to create a database of all possible plaintext->hash (rainbow table). These rainbow tables are different for each exact implementation of the algorythm. I have until now not seen any rainbow table for the multiple MD5 that vBulletin uses. The cahnce that there will ever be one is also very unlikely since it would take years of processing on some heavy duty servers to calculate them.

**Tree** · Thu 7 Sep '06, 5:29pm

It's possible to make a rainbow table for multiple MD5 + salts, but depending on the length of the salt, there's over 100 possibilities for one password.

**Jerry** · Thu 7 Sep '06, 5:32pm

There needs to be a thread with "This is encryption and this is a hash" .......

**filburt1** · Thu 7 Sep '06, 5:32pm

c16d33e92f948ede8fd0a51ea8c8ee5e . Unhash now. No, it's not profanity.

With an MD5 hash string that PHP generates, there are 16^32 possibilities for hashes. That's just about 340,282,366,920,938,463,463,374,607,431,770,000,000 possibilities (sorry about the lack of precision). So, if you could calculate a million MD5 hashes per second, it'll take you about 1078289752455631808069607.9785274 years maximum to get it right.

Windows Calculator > *

Having said that, this query should show you how many users have duplicate passwords, and therefore stupidly simple passwords in all likelyhood:

Code:

SELECT COUNT(password) - COUNT(DISTINCT password) FROM user

...if that works in MySQL (fine in PostgreSQL) and if the table is set up as I recall.

**Joe Gronlund** · Thu 7 Sep '06, 7:09pm

Originally posted by Colin F

And just before anyone asks, vBulletins passwords are not affected by this, because they're hashed twice and salted.

LOL

Salted

Do we get cheese with that??

**MRGTB** · Thu 7 Sep '06, 8:01pm

Originally posted by Joe Gronlund

LOL

Salted

Do we get cheese with that??

I'm hungry now. Cheese and crisp buttys, with salt on of course.

**Joe Gronlund** · Thu 7 Sep '06, 8:17pm

Originally posted by Gary Bolton

I'm hungry now. Cheese and crisp buttys, with salt on of course.

Me too

**Colin F** · Thu 7 Sep '06, 10:27pm

filburt1, that query won't work because of the salt. Even if 5 people have the same password, the salt will change the second hash.

**Marco van Herwaarden** · Fri 8 Sep '06, 12:26am

.....and even without the salt, 2 different passwords could lead to the same hash, so duplicate hashes would not need to mean that the passwords are the same.

I can decrypt MD5

I can decrypt MD5

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment