How can I Decrypt the code which is Encrypted by md5 method in PostgreSQL.
eg: md5("logesh") returns '82e05c4839aba7c637881489bec50dd1'
How can I decrypted this code.
- 3In short: you can't. That's the whole purpose of the md5 hash.user330315– user3303152016-06-03 06:40:54 +00:00Commented Jun 3, 2016 at 6:40
- the idea of md5 was to be able to compare encryted tokens with no possible unencryption I believeVao Tsun– Vao Tsun2016-06-03 06:46:45 +00:00Commented Jun 3, 2016 at 6:46
- 1Each hash will match multiple source strings, but by using a dictionary of likely answers it's actually surprisingly likely that you'll get the correct source string from brute force. This is why password hashing is only considered to slow down hackers, not stop them (and even then only if you "salt" the passwords first and apply lots of "stretching"). Try for example google.co.uk/search?q=md5+brute+forceDave– Dave2016-06-03 07:13:46 +00:00Commented Jun 3, 2016 at 7:13
- @Dave A large rainbow table can provide results impressively quickly. And it doesn't matter in the slightest if it's the correct plaintext string, so long as it produces the same hashed result.Craig Ringer– Craig Ringer2016-06-04 13:46:49 +00:00Commented Jun 4, 2016 at 13:46
- @CraigRinger that's why I say it only slows them down if you salted the passwords (correctly, i.e. each with its own salt, not one salt for all). In fact I think salting was invented specifically to thwart rainbow tables, though I may be mistaken on the history. Quite right about any match being sufficient, although getting the "correct" value can be very useful to hackers looking to try your credentials on other sites (which may or may not share the same hashing method)Dave– Dave2016-06-04 13:58:08 +00:00Commented Jun 4, 2016 at 13:58
Add a comment |
1 Answer
You can't. MD5 isn't encryption. It's a one-way cryptographic hash function. With enough compute power and/or storage you can brute force md5 to figure out what the plaintext might have been but it's only one possible plaintext for that hash. It's designed to be both slow and difficult to reverse, and impossible to reverse 1:1. There are known MD5 collisions.
PostgreSQL's use of "encrypt" in WITH ENCRYPTED PASSWORD is somewhat incorrect, it should really be WITH HASHED PASSWORD. But too late to change it now.
If you want encryption look into pgcrypto which offers AES-128 routines, etc. Or do your encryption and decryption client-side where key exposure in logs, pg_stat_statements etc isn't such a concern.
1 Comment
ferdynator
maybe you can add that usually one would compare another hashed value with the one in the database to e.g. validate a password instead of decrypting the hash. Good answer :)