MD5 Cracker

One of the most popular ways for securely encoding passwords is using MD5. Many online services use it as well as some applications because it is an efficient way to securely store a user’s password. For example, if your password was “admin” the MD5 hash would look like “21232f297a57a5a743894a 0e4a801fc3.”

There is no easy way to take an MD5 hash and have it reversed back to the original text. Hardcore crackers, however, often have databases that consume several gigabytes of pre-calculated MD5 hashes. By that I mean they’ll go through the dictionary and calculate the MD5 hash for all known words, and then move on to common password combinations. That way when they get their hands on a database filled with MD5 hashes they can begin searching to see if any of the users had used one of common words.

Pieter over in the forum posted a big eye opener for anyone that still uses common passwords. He pointed out this tool where a user is able to enter an MD5 hash in the text box. It will then scan what appears to be a rather extensive database to see if the MD5 hash corresponds to any of the known entries it has stored. Here are some of the results from the test Pieter did with it:

  • 21232f297a57a5a743894a0e4a801fc3 – CRACKED (admin)
  • 5f4dcc3b5aa765d61d8327deb882cf99 – CRACKED (password)
  • 33c5d4954da881814420f3ba39772644 – CRACKED (crackme)
  • ec79d4bed810ed64267d169b0d37373e – CRACKED (8612)
  • 61ebd641ffb9b13f2b3163677ef58b0a – CRACKED (2w9)
  • 2eaa8683175fa19f2710707e793b1f04 – FAILED (2w9ss)
  • 68dc6cbea6ddad512bc670c0df5c0804 – CRACKED (23984)
  • 22604bba610abedf926b74646008896f – FAILED (613593)
  • 031e174662676c05db4e019eaaa4de3d – FAILED (65151611)
  • e425adc17b1e4feed1dc295b82d16cbd – FAILED (crackme123)
  • 80e48c2df0e639b36cf2a2a75cbd8fdb – FAILED (imahacker)

As you can see, the more complicated a password is the more likely it won’t be in the database. Overtime the database will continue to grow, and the first thing that it will index is all passwords with lowercase letters and numbers. For that reason I urge everyone to re-evaluate the strength of their passwords. You should consider mixing upper and lower case, as well as using both numbers and symbols. It will take awhile to get used to a new password, but it’s worth the added security.

There Are 27 Comments

  1. Just watch out and don’t enter any of your secure passwords as they are learning from you what enter. Be warned…

  2. This can definitely get serious as many people use simple password. MD5 is the safest way to encrypt passwords nevertheless using common words for passwords is definitely not the way to go.

    I definitely would say that you should use numbers, characters as well as both upper and lower case combinations in your passwords.

  3. Keith Dsouza wrote:
    This can definitely get serious as many people use simple password. MD5 is the safest way to encrypt passwords nevertheless using common words for passwords is definitely not the way to go.

    I definitely would say that you should use numbers, characters as well as both upper and lower case combinations in your passwords.

    Just a note, MD5 is not encryption. It’s a hash algorithm.

  4. Any developer worth anything would always use a salt when hashing passwords. What does this mean? A salt is basically a random string which is appended to the password before it’s hashed. Then when checking you simply append the salt to the entered password and see if it matches their MD5 hash. This renders rainbow attacks completely useless, as the actualy MD5 would be of something like “passwordKj5g6d” – which obviously wouldn’t be likely to be in a rainbow table. Even a static hash is often good enough, as long as it’s still quite random.

    Also don’t forget these MD5s will be behind a password protected database, so you’re pretty safe unless you’re using really unsafe websites in which I’d hope you don’t use your actual password.

  5. Heh, “a database of MD5 hashes”.

    The site has a nice simple layout and the idea is cute enough, but why would you do a simple database when you can use Raibow Tables? ([en.wikipedia.org]) – can be adapted for salt as well, although it does increase the size of the rainbow tables “a bit”.

  6. A 6 letter hash containing of A-Z, a-z and 0-9 will produce an extra 56,800,235,584 permutations. Which I think is a bit more than “a bit”. Not to mention they then have to extract the password from the result.

  7. Oh and this “database of MD5 hashes” is effectively a hash table.

  8. meh I meant rainbow table.

  9. Thanks to everyone for the information, and yes this database is effectively a rainbow table. I thought about going into more details as to how this all works, but I wanted to keep it simple for people who don’t even know what MD5 is yet.

  10. The “about” page on the md5() site doesn’t say that it uses rainbow tables, just that it has “a database of md5 hashes”. If it used rainbow tables, I can’t see why it would be able to crack an 8-letter password (“password”), but fail on a 5-letter password (“2w9ss”), when it obviously handles the character set (it does handle the (very short) “2w9″). But I might have misunderstood how rainbow tables work
    .

    Also, forget “A 6 letter hash containing of A-Z, a-z and 0-9 will produce an extra 56,800,235,584 permutations.”, a UNIX salt only does 4096 permutation (which is a lot of extra space, but within the realm of doable) – again, unless I’ve misunderstood something.

  11. Okay, actually played a bit with the website now and tried a few different passwords, and considering that it handles a string like “Åu*e½/§|t[a-s’ord^¨+}++98:0.2_83″ – well, I’m convinced it does use rainbow tables. And yes, I did double-check the md5 value returned, and it is correct.

    I do wonder why it failed on the very simple passwords as those mentioned in the blog posting, though?

  12. …and now I’ll just go shoot myself and write “never post anything on teh intarweb when you’ve just woken up” a 100 times on my blackboard. Yes, obviously I just entered that fancy string on the site, and it calculated the md5sum for me – duh. Not the other way around.

    So I’ll return to my previous position of “is this really using rainbow tables?”, and have a bucket of coffee.

  13. If you follow the best practices recommended today you would have a password that is a phrase that includes upper, lower case along with numbers and punctuation. On some sites I needed a 26 character password before it thought I was adequately protected. But then considering the speed at which computers run now days and how smart the bad guys are you can never be too safe. Thanks for the interesting article.

  14. if i have hash the wat is password of this

    b041837512536fcac661a3cf3c69eef2

  15. b041837512536fcac661a3cf3c69eef2

    hash not found Balaji …

  16. plz some one crack me this i cant crach it e2a30c1ac3ad4706e68ffc78b455ed62

  17. f9304469ccd0fc1a397ceb94066482cb pls ssome help

  18. And some people take this as a hash cracking service website. Please becomes pls and some comes with a hisssss. Venomous.

  19. You should check this md5 cracker too [md5-decrypter.com]

  20. 97c8a588ae41aaa672241a459dc30397 plzz some crack it and tell me how can i crack this type password

  21. Hey there,

    My site [hashhack.com] does the same thing, except i have over 13 million hashes and counting, its worth a look if your still trying to crack that MD5 hash :)

    Happy Cracking

  22. plz crack this for me f344831f3a52a1f76472daff94734d8b

    type password to email masoudnajafi20@hotmail.com

Leave Your Comment


Message is the only required field.
Emails are not published.