#### Archived

This topic is now archived and is closed to further replies.

# What is the point of MD5?

## Recommended Posts

Well, hmm interesting...

Though I wonder to myself... Theres a infinite number of numbers (literally)... How does MD5 account for this?

Theoretically speaking,

A MD5 hash is 32 characters long

So (number wise speaking)....

1-9999,9999,9999,9999,9999,9999,9999,9999

Should have no collision...

1-9,9999,9999,9999,9999,9999,9999,9999,9999

Should have 1 hash for 10 different numbers...

1-9999,9999,9999,9999,9999,9999,9999,9999,9999

Should have 1 hash for 1000 different numbers...

1-9999,9999,9999,9999,9999,9999,9999,9999,9999,9999

Should have 1 hash for 10 million different numbers...

And the cycle continues?...

I confused myself way to much to even understand all this lol... I bet I don't even make sense.

##### Share on other sites

It solves that by having some inputs share the same hash.

Consider this function: f(x) = x mod 10. Here you have f(1) = f(11) = f(21), etc. (I had an example with that one earlier)

Also consider this: g(x) = x2 => g(x) = g(|x|) (e.g. g(1) = g(-1), but 1 != -1). These functions are surjections, that's to say they "fill out" their codomains.

Said in another way, a hashing function is a function of the form $$f : X \to Y$$ where $$|X| = \infty$$ and $$|Y| \in \mathbb{R}$$.

##### Share on other sites

Yar 99% of sites that don't use mysql store passwords in txt files somewhere on the site.. and 80% of these portals that people install don't even care where passwords are stored can be easily used to access a person's credentials. Such as PBLang - International PHP-forum I've used it on a free host that doesn't support mySQL.. you can see a persons password in md5 using a simple URL

host.com/pbLang/db/members/userGoeshere

Now searching in google using this string

Software PBLang 4.67.16.a © 2002-2006 by Martin Senftleben & the PBLang-Team

you will find many forums hosted and in many you can access persons password which is encoded with md5..

what makes it secure? it just is.. thats all you gotta say

##### Share on other sites

Damn right what's the point of MD5 when we've got this...

##### Share on other sites

what makes it secure? it just is.. thats all you gotta say

The fact you even ask that mean you haven't read the whole thread, so as I have said before, I don't repeat myself,

Simply put MD5 is a one-way hash function that expects a plaintext password and then outputs a hash, This hash is mathematically irreversible, meaning that it is impossible to determine the original password using only the hash.

Daniel0 and I have tried to explain this in this thread...

##### Share on other sites

Without salt you can crack with rainbow tables though...

##### Share on other sites

You know, I could write a long post now, or you could read this thread

##### Share on other sites

Topic made May 28th...Someone needs to stop being a necromancer.

##### Share on other sites

Without salt you can crack with rainbow tables though...

I ALWAYS recommend salt, but your statement isn't 100% true,

This statement is true

MD5 is a one-way hash function that expects a plaintext password and then outputs a hash, This hash is mathematically irreversible, meaning that it is impossible to determine the original password using only the hash.

But if your up for a challenge I'll offer the same challenge as Daniel

but without salt

here is a Pure MD5 no salt

I'll send you $50 over PayPal if you tell me what the what the plaintext value I used for this hash is: ec81f8fe815098e02460e0184d3eac4e It's not enough finding a string that matches the hash. You must prove that what you got is the same as what I originally had. Anyone else who wants to try can claim the$50 as well.

Now remember Daniel had salt So this should be easy for you..

##### Share on other sites

Madtechie, salt or not, if its over like 16 characters, there is no way a machine is gonna be able to brute force that.

Anyways...Could you make it $500? Maybe it'll bring the want to figure it up. Edit: Wait, wait, no how about$5000?

Edit: Oh wait a minute, we have to prove that they are matching. Thats impossible.

##### Share on other sites

LOL it doesn't matter about the length, its not possible even using brute force

You must prove that what you got is the same as what I originally had.

we have covered all of this!

Oh and sure $5000, How about this I'll offer$15,000 if you crack it in a week and if you don't you give me $5000 but you only have 24hour to accept #### Share this post ##### Link to post ##### Share on other sites I suppose I can also reiterate one of my previous challenges in this topic. Given a hashing function f(x) = x mod 10, my phone number inserted into that function has the output 4. Now give me a call. I'll pay fees on your phone bill and a little extra. #### Share this post ##### Link to post ##### Share on other sites LOL it doesn't matter about the length, its not possible even using brute force Well, even assuming you didn't want proof and just wanted a match, if it was over 16, that would still be near impossible. But atleast possible. Now give me a call. I'll pay fees on your phone bill and a little extra. Well lets see...Since you didn't require any proof...only...xxx-xxxx-xxx...9,999,999,999 possiblites. Heck, I'm just gonna brute force these numbers until I call daniel! EDIT: Oops, I forgot the number format is xx-xxx-xxxx-xxx or xxx-xxx-xxxx-xxx. I forgot which one it is. Regardless, since I know he is in denmark, there can only be a max of the previous given number. #### Share this post ##### Link to post ##### Share on other sites I suppose I can also reiterate one of my previous challenges in this topic. Given a hashing function f(x) = x mod 10, my phone number inserted into that function has the output 4. Now give me a call. I'll pay fees on your phone bill and a little extra. LOL, my number is 6 my mobile is 7 anyone a 5 ? LOL it doesn't matter about the length, its not possible even using brute force But atleast possible. PugJr , please tell me your joking.. as that's quite a dumb statement to make! i have already told you it is mathematically irreversible, meaning that it is impossible to determine the original password using only the hash. #### Share this post ##### Link to post ##### Share on other sites Without salt you can crack with rainbow tables though... Yeah, @MadTechie, that password is probably pretty random consisting of lowercase/uppercase/numbers etc. I said you can crack MD5. But only if it's relatively simple. But tbh, who actually puts effort into making a secure password (except programmers etc)? Most people use the same password for everything. Something like "hello" or "i love xxx". They would be crackable. #### Share this post ##### Link to post ##### Share on other sites PugJr , please tell me your joking.. as that's quite a dumb statement to make! To obtain any content that has the same hash as yours is possible. To prove that its the one you made, is not. I am saying its possible to find a matching hash with infinite CPU power (I'm not sure but is it possible a shared web host is offering that?). I'm not saying its possible to prove that the content I used to make the hash is the same as yours. So, yes, I am serious. #### Share this post ##### Link to post ##### Share on other sites Well lets see...Since you didn't require any proof...only...xxx-xxxx-xxx...9,999,999,999 possiblites. Heck, I'm just gonna brute force these numbers until I call daniel! Well, Danish phone numbers are eight digits, so now you're down to 10,000,000 (remember that numbers start from 0). However, you know that it ends with 4, so that means you're down to 1,000,000. Not all numbers are used though. Nobody has the phone number (+45) 00000000 for instance, so if you lookup the valid ranges you can further decrease it. See how easy I am making it. Limiting the range by telling it's a phone number, giving you hints to further decrease the possible range. Without salt you can crack with rainbow tables though... Yeah, @MadTechie, that password is probably pretty random consisting of lowercase/uppercase/numbers etc. I said you can crack MD5. But only if it's relatively simple. But tbh, who actually puts effort into making a secure password (except programmers etc)? Most people use the same password for everything. Something like "hello" or "i love xxx". They would be crackable. This is a mathematical subject. It doesn't matter if "hello" matches the hash you are given because there are an infinite number of other matches, so you have no means of verifying that "hello" was the original value or one of the other infinite matches. #### Share this post ##### Link to post ##### Share on other sites Again with the passwords.. Okay read the topic.. all of this has been covered.. Here the thing people are not getting. 1. Can you generate an input that matches the hash output, Yes 2. Can you reverse the has back to its original state, NO creaking MD5 would mean 2 was true BUT ITS IMPOSSIBLE! adding salt just adds extra protection for the limitation of the passwords entered (length, characters) PugJr: if you mean you can get the same contents then your wrong.. if you have a finger print, can you clone someone from it ? you maybe able to create someone with the same finger print but is the DNA the same.? You won't know unless you can compare to the original but you only have a finger print! #### Share this post ##### Link to post ##### Share on other sites Lol yeah, but the chances of having an MD5 hash cracked is considerably higher without salt. I'm just saying...you need to use salt. #### Share this post ##### Link to post ##### Share on other sites I have a challenge that could get you up to$15,000 if you want to take the challenge or you could take the \$5000 version any time.

Your statement should be if you don't use salt your password it more likely to have a hash match in a rainbow table.

##### Share on other sites

You defintely /can/ get the same content. Okay, take this for instance, madtechie. Lets say I have a computer with infinite speed. So of course with infinite speed I can obtain infinite ammount of hashes. So I can get your exact content, but there is no possible way of me knowing which one is yours.

The only flaw to this hypothetical situation is I would have an infinite ammount of the same hashes that you need me to find...Hm...

But regardless, I still obtained your exact content4 (Well, not knowing which content is yours though, but as a group of hashes, one of them must be yours.), without knowing which is yours. I have to if I have every hash possible.

I do agree that it isn't possible to prove that the content of one hash is the same one as yours BUT still regardless, I can get the same 32 hash characters.

So anyways point is: All the content I've used md5() on, which is everything, must be one with your content as your content is apart of something. But yes, I still do agree it isn't possible to prove which one is yours.

##### Share on other sites
if you don't use salt your password it more likely to have a hash match in a rainbow table.

Thus is more likely to get cracked, hence my initial point. So yeah

##### Share on other sites

Infinite time, still means infinite possibilities.. with this ever grown list of possibilities theirs no way your when you have mine in that list.. so when could/would you stop.. surely you can only stop when you know you have the original which means you need all possibilities which is infinite.. thus not possible!

This statement still remains true

This hash is mathematically irreversible, meaning that it is impossible to determine the original password using only the hash.

jxrd: indeed but that's nothing to do with cracking MD5, that's cracking a password that the salt makes stronger

##### Share on other sites

You need to learn how to read. You cannot "crack" a hash. It doesn't make any sense to say that. Believe it or not, but hash tables are not exclusively used for passwords. In fact, I'm sure you've used them extensively. An associative array is just another word for a hash table.

Taking it completely away from this password thing (which is clearly confusing you), imagine a dictionary. We define the hash of a word as the first letter of the word. Using the English alphabet this means it can be a through z, i.e. 26 different hashes. So "monkey" has the hash "m" and "house" has the hash "h". If I simply give you the hash "f" you cannot possibly revert that back to the word I had in mind.

You defintely /can/ get the same content. Okay, take this for instance, madtechie. Lets say I have a computer with infinite speed. So of course with infinite speed I can obtain infinite ammount of hashes. So I can get your exact content, but there is no possible way of me knowing which one is yours.

You cannot have an infinite amount of anything. Hilbert's paradox of the grand hotel illustrates this in a very clear way.

Imagine a hotel with an infinite number of rooms that are all booked. A guest's room number is denoted n. Now someone comes into the hotel asking for a room so the hotel manager asks all the guests to move to room number 1+n. This leaves room for our new guest in room number 1. Now an infinite number of new people ask for rooms, so the hotel manager asks everybody to move to room number 2n. This leaves all the odd room numbers available. So even though all the infinite number of rooms were booked there were place for an infinite number of new guests. You cannot both have everything booked and have rooms available, so it must be impossible to have an infinite number of something.

This kind of argument is called reductio ad absurdum. You first assume that something is true, but find that it being true leads to an absurd situation thus the initial assumption must be false.

##### Share on other sites

I think I'm not doing a good job of explaining on what I mean.

Lets say I cover up to 30 characters. My objective is to find the content of hash (No this isn't a real hash, this is just used for the purpose of a point.) "pug". Okay thats the hash. Now, I run up to all 30 characters and get:

George

House

bob

dog

Those when used with hashmaker() (No, that isn't a function either.) will all convert to "pug". So it also took 5000 years to get all the hashes done, but anyways, now, I have obtained every possible hash that is "pug" up to 30 characters. Now, although I can't know the exact hash to the one that the person used, I know it still has to be within that group and I have obtained the original content, but just not sure which one is the real one. Now put this into context.

There is hash "ec81f8fe815098e02460e0184d3eac4e". I go up to a google plex of characters. Now I have:

(These don't make ec81f8fe815098e02460e0184d3eac4e when hashed, but its for the purpose of the point.)

spamabcdefg

fdmgiIJSDFMosdf

KSPDSDV

etc.

Now I have a set ammount of hashes. I guarntuee you, that now I do have your orignal content. But like I said, its impossible to prove which one is yours, BUT I still have it in that group of content hashed into "ec81f8fe815098e02460e0184d3eac4e".

Why would this not work? I've read the posts on this. I know its not possible to use a function like unhashmd5() that gets the exact one as just through math like daniel explained, is impossible as there is an infinite ammount of strings per hash.

So anyways, madtechie, assuming I generated up to a googleplex of characters that all end out to "ec81f8fe815098e02460e0184d3eac4e", would you say that absoultely none of those match your content? So from what I understand, if your original content is under a googleplex of characters, I do have it, as a group of millions and millions of other hashes under "ec81f8fe815098e02460e0184d3eac4e".

##### Share on other sites
This topic is now closed to further replies.

×

• #### Activity

• Chat
×
• Create New...