Re: Decrypting MD5
Just to clarify Rick, the MD5 is not strictly speaking an encryption algorithm. It's a hashing algorithm, hashes by their very nature are intended to be one way and destructive. There are only a finite number of possible results of the MD5 hash, which is how people have constructed tools to decrypt the hash, but what they are really doing is simply trying to create a massive repository of possible decryptions from the hash. Think of this scenario, since there is a finite (albeit very large) pool of possible hash results - there are an infinite number of strings that could generate the same hash result. So you can't REALLY decrypt a hash back to it's original string, just any known string that creates that hash. Not a real example, but to illustrate the point Your super secret password: password1234 = MD5 hash bdc87b9c894da5168059e00ebffb9077 That Hash may also be the preamble to the consitiution... =] On Thu, Mar 12, 2015 at 8:03 AM, Russ Michaels r...@michaels.me.uk wrote: Brute forcing MD5 hashes is really only going to work if you are still using weak passwords to begin with and just hashing them. This then works in exactly the same way as a brute force dictionary attack on a plain password, except they try the hashed version of the same password. You should always allow strong passwords and pass phrases, sadly so many sites still do not do this. On Thu, Mar 12, 2015 at 2:43 PM, Byron Mann byronos...@gmail.com wrote: Just for reference. Here's a pretty good article on how to hash properly. https://crackstation.net/hashing-security.htm Hashing is often done incorrectly, even if it's being salted you never want to use the same salt across the board. Simple thing is, compute power is so available, brute forcing MD5 hashes is fairly easy these days. I wouldn't even recommend using MD5 for anything secure like a hash of a password. Stick to that for simple things like file compares, etc. Cheers, ~Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360258 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Decrypting MD5
Hashes have other uses as well. I pull data from a source database that has over 3 gigs of data in it and every hour the owners of that database flag all the rows as updated even if they weren't. I need to pick up just the changed rows, so I pull down the primary key and a hash of all of the rest of the fields (but not the changed flag) and compare it to what I have in my database. If the key matches and the hash doesn't then I pull down that row. I went from pulling down 3 gigs every hour to just a few hundred rows ( 1 meg). Hashes have all sorts of uses! -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Thursday, March 12, 2015 9:09 AM To: cf-talk Subject: Re: Decrypting MD5 So basically MD5 is useless if you can't decrypt the value! That sucks. I don't know about useless. Hashing is not the same as encryption. They're intended to solve different problems. Let's say you're using a Windows network, with Active Directory. Active Directory doesn't actually know your password, because it doesn't need to know. All it needs to know is, did you enter the correct password when you hit Ctrl+Alt+Delete this morning - and it doesn't need to know what the password is in that case. Your workstation takes your plaintext password, generates a hash, and sends it to AD. AD compares the hash to the one it stored when you set your password in the first place. If they match, there's an extremely high likelihood that the plaintext passwords match as well. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Decrypting MD5
Just for reference. Here's a pretty good article on how to hash properly. https://crackstation.net/hashing-security.htm Hashing is often done incorrectly, even if it's being salted you never want to use the same salt across the board. Simple thing is, compute power is so available, brute forcing MD5 hashes is fairly easy these days. I wouldn't even recommend using MD5 for anything secure like a hash of a password. Stick to that for simple things like file compares, etc. Cheers, ~Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Decrypting MD5
Yeah checking hashed values of software is used to confirm changes or lack there of. I use a piece of a hashed value in encrypted url qury strings to make sure the value wasn't changed between requests. Hash has a ton of uses. On Mar 12, 2015 9:15 AM, DURETTE, STEVEN J sd1...@att.com wrote: Hashes have other uses as well. I pull data from a source database that has over 3 gigs of data in it and every hour the owners of that database flag all the rows as updated even if they weren't. I need to pick up just the changed rows, so I pull down the primary key and a hash of all of the rest of the fields (but not the changed flag) and compare it to what I have in my database. If the key matches and the hash doesn't then I pull down that row. I went from pulling down 3 gigs every hour to just a few hundred rows ( 1 meg). Hashes have all sorts of uses! -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Thursday, March 12, 2015 9:09 AM To: cf-talk Subject: Re: Decrypting MD5 So basically MD5 is useless if you can't decrypt the value! That sucks. I don't know about useless. Hashing is not the same as encryption. They're intended to solve different problems. Let's say you're using a Windows network, with Active Directory. Active Directory doesn't actually know your password, because it doesn't need to know. All it needs to know is, did you enter the correct password when you hit Ctrl+Alt+Delete this morning - and it doesn't need to know what the password is in that case. Your workstation takes your plaintext password, generates a hash, and sends it to AD. AD compares the hash to the one it stored when you set your password in the first place. If they match, there's an extremely high likelihood that the plaintext passwords match as well. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360242 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Decrypting MD5
no it certainly is not useless. The whole point in hashing a value is so that it cannot be decrypted, typically this is used for passwords. Imagine a hacker gets into your web app, which is extremely common, then all your encrypted data is useless, because he has access to your code and can decrypt it all at leisure. This is how all your personal data gets stolen or your identity. You signed up on some website that had poor security, the hackers got in and got their database, decrypted all the data, and got all your personal details including username/password.They will then typically take the username/password you used on this site and try it on other sites as well, so anywhere else you used the same login is now also compromised. Most decent websites these days will hash sensitive data so that it cannot be decrypted and stolen. Any code you do have which decrypts data, should be protected from prying eyes, in the case of CF you could compile the CFML to a java class and only upload that to the server, don;t think there is anything much better than that for CF sadly. Or with PHP you would use somehting like Ioncube. On Thu, Mar 12, 2015 at 12:59 PM, Rick Sanders r...@webenergy.ca wrote: So basically MD5 is useless if you can't decrypt the value! That sucks. Kind regards, Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Thursday, March 12, 2015 9:57 AM To: cf-talk Subject: Re: Decrypting MD5 I want to know if I can decrypt passwords stored as MD5 in a SQL Server database using the Decrypt function? There are online tools out there that decrypt MD5 so I'm hoping that I can do this in CF. There are no tools that actually decrypt MD5 hashes, to the best of my knowledge. MD5 is a hashing algorithm, not an encryption algorithm. It lets you take a plaintext value and generates a hashed value, which cannot be decrypted. These online tools don't decrypt MD5 hashes. Instead, they have large databases of plaintext values and their corresponding MD5 hashes. When you hash a value, you should always get the same hash, so these tools compare the hash you provide against their database of existing hash values, and then lookup the corresponding plaintext value. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360244 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Decrypting MD5
Brute forcing MD5 hashes is really only going to work if you are still using weak passwords to begin with and just hashing them. This then works in exactly the same way as a brute force dictionary attack on a plain password, except they try the hashed version of the same password. You should always allow strong passwords and pass phrases, sadly so many sites still do not do this. On Thu, Mar 12, 2015 at 2:43 PM, Byron Mann byronos...@gmail.com wrote: Just for reference. Here's a pretty good article on how to hash properly. https://crackstation.net/hashing-security.htm Hashing is often done incorrectly, even if it's being salted you never want to use the same salt across the board. Simple thing is, compute power is so available, brute forcing MD5 hashes is fairly easy these days. I wouldn't even recommend using MD5 for anything secure like a hash of a password. Stick to that for simple things like file compares, etc. Cheers, ~Byron ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Decrypting MD5
I want to know if I can decrypt passwords stored as MD5 in a SQL Server database using the Decrypt function? There are online tools out there that decrypt MD5 so I'm hoping that I can do this in CF. There are no tools that actually decrypt MD5 hashes, to the best of my knowledge. MD5 is a hashing algorithm, not an encryption algorithm. It lets you take a plaintext value and generates a hashed value, which cannot be decrypted. These online tools don't decrypt MD5 hashes. Instead, they have large databases of plaintext values and their corresponding MD5 hashes. When you hash a value, you should always get the same hash, so these tools compare the hash you provide against their database of existing hash values, and then lookup the corresponding plaintext value. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Decrypting MD5
It looks like you can if you know the salt: http://www.hashkiller.co.uk/md5-decrypter.aspx http://www.md5online.org/ http://md5decryption.com/ http://www.md5decrypter.com/ Robert Harrison Full Stack Developer AIMG rharri...@aimg.com Main Office: 704-321-1234 ext.118 Direct Line: 516-302-4345 www.aimg.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Decrypting MD5
So basically MD5 is useless if you can't decrypt the value! That sucks. Kind regards, Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Thursday, March 12, 2015 9:57 AM To: cf-talk Subject: Re: Decrypting MD5 I want to know if I can decrypt passwords stored as MD5 in a SQL Server database using the Decrypt function? There are online tools out there that decrypt MD5 so I'm hoping that I can do this in CF. There are no tools that actually decrypt MD5 hashes, to the best of my knowledge. MD5 is a hashing algorithm, not an encryption algorithm. It lets you take a plaintext value and generates a hashed value, which cannot be decrypted. These online tools don't decrypt MD5 hashes. Instead, they have large databases of plaintext values and their corresponding MD5 hashes. When you hash a value, you should always get the same hash, so these tools compare the hash you provide against their database of existing hash values, and then lookup the corresponding plaintext value. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Decrypting MD5
So basically MD5 is useless if you can't decrypt the value! That sucks. Maybe, if you're storing data you need to retrieve. Generally I use if for data I need to compare (like passwords), then I just encrypt the values the same way and compare the encrypted values. Robert Harrison Full Stack Developer AIMG rharri...@aimg.com Main Office: 704-321-1234 ext.118 Direct Line: 516-302-4345 www.aimg.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360238 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Decrypting MD5
So basically MD5 is useless if you can't decrypt the value! That sucks. I don't know about useless. Hashing is not the same as encryption. They're intended to solve different problems. Let's say you're using a Windows network, with Active Directory. Active Directory doesn't actually know your password, because it doesn't need to know. All it needs to know is, did you enter the correct password when you hit Ctrl+Alt+Delete this morning - and it doesn't need to know what the password is in that case. Your workstation takes your plaintext password, generates a hash, and sends it to AD. AD compares the hash to the one it stored when you set your password in the first place. If they match, there's an extremely high likelihood that the plaintext passwords match as well. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm