Is MD5 hashing reversible?

Hi,

Is MD5 Hashing reversible. I want to make sure the passwords of the users are secured. Please suggest if Hashing is reversible if so how.

Thanks,
Hemanth

It is not reversible, but is subject to dictionary attacks.

Password hashes should also be "salted" with a user-specific value.

P.S. Other algorithms such as SHA-1 seem to be preferred these days over MD5.

Hrithik, the OWASP site is a very useful resource for developers who need to implement security logic.
Read the following articles as a starting point for information on weak algorithms and recommendations:
OWASP guide to cryptography
Java hashing
Cryptographic storage cheat sheet

Just nitpicking here, but SHA-1 is also considered out of date. SHA-2 is the state of the art.

Ulf Dittmer wrote:Just nitpicking here, but SHA-1 is also considered out of date. SHA-2 is the state of the art.

Until next week or so...

what is mean by dictionary attacks?
Also is there any solution for Two Strings givin same Hash value when using MD5 ?

1. A list of known MD5 hashes.
2. Think about it mathematically, longer strings are condensed to shorter strings. Knowing that, what is the answer to your question?

sam liyanage wrote:what is mean by dictionary attacks?
Also is there any solution for Two Strings givin same Hash value when using MD5 ?

A dictionary attack is exactly what it sounds like. Take a dictionary of all possible words, generate some common passwords (such as a word, two words together, a words followed by a digit, etc.), and try it out. Take the guess password, MD5 hash it, and if it matches, you found a password (which is likely the original password).

In other words, while MD5 may not be reversible, it is still possible to just try lots and lots of guesses.

Henry

Reversible is no longer the right question. There is no need to reverse it, you can just look it up.

Let me be clear. Do NOT use MD5. There are many rainbow tables and precomputed MD5 tables on the 'net. It provides no security.

Use one of the SHA-2 family. See http://en.wikipedia.org/wiki/SHA-2
Most serious folks use SHA-256.

Make sure you have a system-wide salt, and a user-specific salt, so technically, you are calculating a HMAC of the pass phrase. Do not restrict the users to one word (a password) allow them to enter as many characters as they want. You will hash it all down, so the length has no impact on your storage, database size, etc.

Pat Farrell wrote:
Most serious folks use key derivation functions like PBKDF2.

Fixed that for you

Pat Farrell wrote:
Most serious folks use key derivation functions like PBKDF2.

Jelle Klap wrote:
Fixed that for you

I agree

And though PBKDF2 can only strengthen an algorithm like SHA-256, I'm a Whirlpool man myself.

Jelle Klap wrote:

Pat Farrell wrote:
Most serious folks use key derivation functions like PBKDF2.

Fixed that for you

I don't understand why running 500 or more iterations of a good hash improves anything. Other than a bit of security by obscurity, what's the benefit?

BTW, I hate RSA's PKCS standards. I know, they are the industry standards, but they use so much of that @*$# ASN.1

Pat Farrell wrote:
I don't understand why running 500 or more iterations of a good hash improves anything. Other than a bit of security by obscurity, what's the benefit?

I love talking security

It takes longer to hash, but basically more iterations equates to less brute force attacks per second.

The question is if you find worth in knowing your password will be cracked in (y) instead of (x) years when both numbers are beyond the length of your life?

My answer would be yes, as I don't know who is making the computer that is going to cut (x) to a crackable size, and (y) may keep my head out of water.