Decrypting MD5

[hofar...@houseoffusion.com]

Hey all sorry if this has been asked before. I did Google and didn't come up with a result.

I want to know if I can decrypt passwords stored as MD5 in a SQL Server database using the Decrypt function? There are online tools out there that decrypt MD5 so I'm hoping that I can do this in CF. Thanks.

Kind regards,

Rick


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360234

[hofar...@houseoffusion.com]

> I want to know if I can decrypt passwords stored as MD5 in a SQL Server database using the Decrypt
> function? There are online tools out there that decrypt MD5 so I'm hoping that I can do this in CF.

There are no tools that actually decrypt MD5 hashes, to the best of my
knowledge. MD5 is a hashing algorithm, not an encryption algorithm. It
lets you take a plaintext value and generates a hashed value, which
cannot be decrypted.

These online tools don't decrypt MD5 hashes. Instead, they have large
databases of plaintext values and their corresponding MD5 hashes. When
you hash a value, you should always get the same hash, so these tools
compare the hash you provide against their database of existing hash
values, and then lookup the corresponding plaintext value.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360235

[hofar...@houseoffusion.com]

So basically MD5 is useless if you can't decrypt the value! That sucks.

Kind regards,

Rick

-----Original Message-----
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: Thursday, March 12, 2015 9:57 AM
To: cf-talk
Subject: Re: Decrypting MD5


> I want to know if I can decrypt passwords stored as MD5 in a SQL
> Server database using the Decrypt function? There are online tools out there that decrypt MD5 so I'm hoping that I can do this in CF.

There are no tools that actually decrypt MD5 hashes, to the best of my knowledge. MD5 is a hashing algorithm, not an encryption algorithm. It lets you take a plaintext value and generates a hashed value, which cannot be decrypted.

These online tools don't decrypt MD5 hashes. Instead, they have large databases of plaintext values and their corresponding MD5 hashes. When you hash a value, you should always get the same hash, so these tools compare the hash you provide against their database of existing hash values, and then lookup the corresponding plaintext value.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360236

[hofar...@houseoffusion.com]

It looks like you can if you know the salt:

http://www.hashkiller.co.uk/md5-decrypter.aspx

http://www.md5online.org/

http://md5decryption.com/

http://www.md5decrypter.com/


Robert Harrison
Full Stack Developer
AIMG
rhar...@aimg.com
Main Office: 704-321-1234  ext.118
Direct Line: 516-302-4345
www.aimg.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360237

[hofar...@houseoffusion.com]

> So basically MD5 is useless if you can't decrypt the value! That sucks.

Maybe, if you're storing data you need to retrieve. Generally I use if for
data I need to compare (like passwords), then I just encrypt the values the
same way and compare the encrypted values.

Robert Harrison
Full Stack Developer
AIMG
rhar...@aimg.com
Main Office: 704-321-1234  ext.118
Direct Line: 516-302-4345
www.aimg.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360238

[hofar...@houseoffusion.com]

> So basically MD5 is useless if you can't decrypt the value! That sucks.

I don't know about useless. Hashing is not the same as encryption.
They're intended to solve different problems.

Let's say you're using a Windows network, with Active Directory.
Active Directory doesn't actually know your password, because it
doesn't need to know. All it needs to know is, did you enter the
correct password when you hit Ctrl+Alt+Delete this morning - and it
doesn't need to know what the password is in that case. Your
workstation takes your plaintext password, generates a hash, and sends
it to AD. AD compares the hash to the one it stored when you set your
password in the first place. If they match, there's an extremely high
likelihood that the plaintext passwords match as well.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360240

[hofar...@houseoffusion.com]

Hashes have other uses as well. I pull data from a source database that has over 3 gigs of data in it and every hour the owners of that database flag all the rows as updated even if they weren't. I need to pick up just the changed rows, so I pull down the primary key and a hash of all of the rest of the fields (but not the changed flag) and compare it to what I have in my database. If the key matches and the hash doesn't then I pull down that row. I went from pulling down 3 gigs every hour to just a few hundred rows (< 1 meg).

Hashes have all sorts of uses!

-----Original Message-----
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: Thursday, March 12, 2015 9:09 AM
To: cf-talk
Subject: Re: Decrypting MD5

> So basically MD5 is useless if you can't decrypt the value! That sucks.

I don't know about useless. Hashing is not the same as encryption.
They're intended to solve different problems.

Let's say you're using a Windows network, with Active Directory.
Active Directory doesn't actually know your password, because it
doesn't need to know. All it needs to know is, did you enter the
correct password when you hit Ctrl+Alt+Delete this morning - and it
doesn't need to know what the password is in that case. Your
workstation takes your plaintext password, generates a hash, and sends
it to AD. AD compares the hash to the one it stored when you set your
password in the first place. If they match, there's an extremely high
likelihood that the plaintext passwords match as well.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360241

[hofar...@houseoffusion.com]

Yeah checking hashed values of software is used to confirm changes or lack
there of.

I use a piece of a hashed value in encrypted url qury strings to make sure
the value wasn't changed between requests.

Hash has a ton of uses.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360242

[hofar...@houseoffusion.com]

no it certainly is not useless.
The whole point in hashing a value is so that it cannot be decrypted,
typically this is used for passwords.

Imagine a hacker gets into your web app, which is extremely common, then
all your encrypted data is useless, because he has access to your code and
can decrypt it all at leisure. This is how all your personal data gets
stolen or your identity. You signed up on some website that had poor
security, the hackers got in and got their database, decrypted all the
data, and got all your personal details including username/password.They
will then typically take the username/password you used on this site and
try it on other sites as well, so anywhere else you used the same login is
now also compromised.

Most decent websites these days will hash sensitive data so that it cannot
be decrypted and stolen.

Any code you do have which decrypts data, should be protected from prying
eyes, in the case of CF you could compile the CFML to a java class and only
upload that to the server, don;t think there is anything much better than
that for CF sadly. Or with PHP you would use somehting like Ioncube.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360244

[hofar...@houseoffusion.com]

Rick,

There’s a huge difference between HASHING and Encryption. MD5 is a form of HASHING. Hashing is and has always been a one way thing. To simply let me explain a hash as a fingerprint. Every value or file has a unique fingerprint. This fingerprint IS the Hash value. Hash values are used to determine if a file or a value really is what it claims to be which is why you may see file downloads accompanied by their hash value. The Hash value itself DOES NOT CONTAIN the data you hashed.

Encryption is a totally different beast. Encryption is a two way process and the encrypted value DOES CONTAIN your data that you encrypted.

Please use the method that best applies to the solution you need.

Regards,
Wil


Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wil...@trunkful.com
www.trunkful.com

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360246

[hofar...@houseoffusion.com]

Just for reference. Here's a pretty good article on how to hash properly.

https://crackstation.net/hashing-security.htm

Hashing is often done incorrectly, even if it's being salted you never want
to use the same salt across the board. Simple thing is, compute power is so
available, brute forcing MD5 hashes is fairly easy these days. I wouldn't
even recommend using MD5 for anything secure like a hash of a password.
Stick to that for simple things like file compares, etc.

Cheers,
~Byron

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360248

[hofar...@houseoffusion.com]

Brute forcing MD5 hashes is really only going to work if you are still
using weak passwords to begin with and just hashing them. This then works
in exactly the same way as a brute force dictionary attack on a plain
password, except they try the hashed version of the same password.
You should always allow strong passwords and pass phrases, sadly so many
sites still do not do this.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360252

[hofar...@houseoffusion.com]

Just to clarify Rick, the MD5 is not strictly speaking an encryption
algorithm. It's a hashing algorithm, hashes by their very nature are
intended to be one way and destructive.

There are only a finite number of possible results of the MD5 hash, which
is how people have constructed tools to "decrypt" the hash, but what they
are really doing is simply trying to create a massive repository of
"possible" decryptions from the hash.

Think of this scenario, since there is a finite (albeit very large) pool of
possible hash results - there are an infinite number of strings that could
generate the same hash result. So you can't REALLY decrypt a hash back to
it's original string, just any known string that creates that hash.

Not a real example, but to illustrate the point

Your super secret password: password1234 = MD5
hash bdc87b9c894da5168059e00ebffb9077

That Hash may also be the preamble to the consitiution...

=]

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360258