Topic: What is the point of MD5?

[PugJr]

PugJr , please tell me your joking.. as that's quite a dumb statement to make!

To obtain any content that has the same hash as yours is possible. To prove that its the one you made, is not. I am saying its possible to find a matching hash with infinite CPU power (I'm not sure but is it possible a shared web host is offering that?). I'm not saying its possible to prove that the content I used to make the hash is the same as yours.

So, yes, I am serious.

[Daniel0]

Well lets see...Since you didn't require any proof...only...xxx-xxxx-xxx...9,999,999,999 possiblites. Heck, I'm just gonna brute force these numbers until I call daniel!

Well, Danish phone numbers are eight digits, so now you're down to 10,000,000 (remember that numbers start from 0). However, you know that it ends with 4, so that means you're down to 1,000,000. Not all numbers are used though. Nobody has the phone number (+45) 00000000 for instance, so if you lookup the valid ranges you can further decrease it.

See how easy I am making it. Limiting the range by telling it's a phone number, giving you hints to further decrease the possible range.

Without salt you can crack with rainbow tables though...

Yeah, @MadTechie, that password is probably pretty random consisting of lowercase/uppercase/numbers etc.

I said you can crack MD5. But only if it's relatively simple. But tbh, who actually puts effort into making a secure password (except programmers etc)?

Most people use the same password for everything. Something like "hello" or "i love xxx". They would be crackable.

This is a mathematical subject. It doesn't matter if "hello" matches the hash you are given because there are an infinite number of other matches, so you have no means of verifying that "hello" was the original value or one of the other infinite matches.

[MadTechie]

Again with the passwords..
Okay read the topic.. all of this has been covered..

Here the thing people are not getting.

1. Can you generate an input that matches the hash output, Yes
2. Can you reverse the has back to its original state, NO

creaking MD5 would mean 2 was true BUT ITS IMPOSSIBLE!
adding salt just adds extra protection for the limitation of the passwords entered (length, characters)

PugJr: if you mean you can get the same contents then your wrong..
if you have a finger print, can you clone someone from it ?
you maybe able to create someone with the same finger print but is the DNA the same.?
You won't know unless you can compare to the original but you only have a finger print!

[jxrd]

Lol yeah, but the chances of having an MD5 hash cracked is considerably higher without salt.

I'm just saying...you need to use salt.

[MadTechie]

I have a challenge that could get you up to $15,000 if you want to take the challenge or you could take the $5000 version any time.

Your statement should be if you don't use salt your password it more likely to have a hash match in a rainbow table.

[PugJr]

You defintely /can/ get the same content. Okay, take this for instance, madtechie. Lets say I have a computer with infinite speed. So of course with infinite speed I can obtain infinite ammount of hashes. So I can get your exact content, but there is no possible way of me knowing which one is yours.

The only flaw to this hypothetical situation is I would have an infinite ammount of the same hashes that you need me to find...Hm...

But regardless, I still obtained your exact content4 (Well, not knowing which content is yours though, but as a group of hashes, one of them must be yours.), without knowing which is yours. I have to if I have every hash possible.

I do agree that it isn't possible to prove that the content of one hash is the same one as yours BUT still regardless, I can get the same 32 hash characters.

So anyways point is: All the content I've used md5() on, which is everything, must be one with your content as your content is apart of something. But yes, I still do agree it isn't possible to prove which one is yours.

[jxrd]

if you don't use salt your password it more likely to have a hash match in a rainbow table.

Thus is more likely to get cracked, hence my initial point. So yeah

[MadTechie]

Infinite time, still means infinite possibilities.. with this ever grown list of possibilities theirs no way your when you have mine in that list.. so when could/would you stop.. surely you can only stop when you know you have the original which means you need all possibilities which is infinite.. thus not possible!

This statement still remains true

Code: [Select]

This hash is mathematically irreversible, meaning that it is impossible to determine the original password using only the hash.

jxrd: indeed but that's nothing to do with cracking MD5, that's cracking a password that the salt makes stronger

[Daniel0]

You need to learn how to read. You cannot "crack" a hash. It doesn't make any sense to say that. Believe it or not, but hash tables are not exclusively used for passwords. In fact, I'm sure you've used them extensively. An associative array is just another word for a hash table.

Taking it completely away from this password thing (which is clearly confusing you), imagine a dictionary. We define the hash of a word as the first letter of the word. Using the English alphabet this means it can be a through z, i.e. 26 different hashes. So "monkey" has the hash "m" and "house" has the hash "h". If I simply give you the hash "f" you cannot possibly revert that back to the word I had in mind.

You defintely /can/ get the same content. Okay, take this for instance, madtechie. Lets say I have a computer with infinite speed. So of course with infinite speed I can obtain infinite ammount of hashes. So I can get your exact content, but there is no possible way of me knowing which one is yours.

You cannot have an infinite amount of anything. Hilbert's paradox of the grand hotel illustrates this in a very clear way.

Imagine a hotel with an infinite number of rooms that are all booked. A guest's room number is denoted n. Now someone comes into the hotel asking for a room so the hotel manager asks all the guests to move to room number 1+n. This leaves room for our new guest in room number 1. Now an infinite number of new people ask for rooms, so the hotel manager asks everybody to move to room number 2n. This leaves all the odd room numbers available. So even though all the infinite number of rooms were booked there were place for an infinite number of new guests. You cannot both have everything booked and have rooms available, so it must be impossible to have an infinite number of something.

This kind of argument is called reductio ad absurdum. You first assume that something is true, but find that it being true leads to an absurd situation thus the initial assumption must be false.

[PugJr]

I think I'm not doing a good job of explaining on what I mean.

Lets say I cover up to 30 characters. My objective is to find the content of hash (No this isn't a real hash, this is just used for the purpose of a point.) "pug". Okay thats the hash. Now, I run up to all 30 characters and get:

George
House
bob
dog

Those when used with hashmaker() (No, that isn't a function either.) will all convert to "pug". So it also took 5000 years to get all the hashes done, but anyways, now, I have obtained every possible hash that is "pug" up to 30 characters. Now, although I can't know the exact hash to the one that the person used, I know it still has to be within that group and I have obtained the original content, but just not sure which one is the real one. Now put this into context.

There is hash "ec81f8fe815098e02460e0184d3eac4e". I go up to a google plex of characters. Now I have:

(These don't make ec81f8fe815098e02460e0184d3eac4e when hashed, but its for the purpose of the point.)
spamabcdefg
fdmgiIJSDFMosdf
KSPDSDV
etc.

Now I have a set ammount of hashes. I guarntuee you, that now I do have your orignal content. But like I said, its impossible to prove which one is yours, BUT I still have it in that group of content hashed into "ec81f8fe815098e02460e0184d3eac4e".

Why would this not work? I've read the posts on this. I know its not possible to use a function like unhashmd5() that gets the exact one as just through math like daniel explained, is impossible as there is an infinite ammount of strings per hash.

So anyways, madtechie, assuming I generated up to a googleplex of characters that all end out to "ec81f8fe815098e02460e0184d3eac4e", would you say that absoultely none of those match your content? So from what I understand, if your original content is under a googleplex of characters, I do have it, as a group of millions and millions of other hashes under "ec81f8fe815098e02460e0184d3eac4e".

[Daniel0]

The problem with your logic is just that the range of all integers reaches beyond a googolplex. You can always add +1. That's kind of what infinity means. Besides, that is completely irrelevant.

If I give you two numbers: 1 and 0, and tell you that one is correct (what whatever arbitrary purpose) and the other is incorrect., how are you going to know which one? You can guess all you want, but you won't know the answer until I tell you.

I think the biggest problem is that you don't understand what a hash table is. It's just a data structure like many others such as a heap, trie, linked list, array and so on. It's not just a "string of characters" or whatever you seem to believe it is.

[MadTechie]

Your just not getting it are you!
What makes you think in 5000 years your get the correct value ? why not 10000 years or 10000000000 years no matter how long to attempt it your always have more.. and your never know which one I generated the hash from.. the simple fact of the matter is you will never know what I used to create that hash, because you don't have the data you need, thus again its impossible!

its like X mod 10 = 6
What did I enter as X to get 6, NOT what CAN you enter to get 6.
You could say well it will be in my infinite list of possibilities.. but that's not possible

[PugJr]

If I give you two numbers: 1 and 0, and tell you that one is correct (what whatever arbitrary purpose) and the other is incorrect., how are you going to know which one? You can guess all you want, but you won't know the answer until I tell you.

This is where we are missing each other. No, my answer would be is that its either 1 or 0.  But it can not be 2, 3, 4, 5, +.

All I'm saying is that you can group all the content (Okay fine, not all since thats infinite, but whatever, a large number) with the same hash and within that group, it MUST be his hash. I've been saying that in most of my posts that I can group the ones with matching hashes, which then MUST contain the one we are looking for. I've also said plenty of times that you can not pinpoint the exact content of the message.

I guess my whole point is kinda worthless.


Madtechie, the 5000 years was just an arbitrary number. Okay, sorry, I mean x years. Techie, I'm just saying that I can group out the possiblities of your content just like daniel did with the phone numbers.

I can go on a point basis where you guys can agree and disagree, but I think we are just misunderstanding. I never said once I can get the /exact/ content, but I can get a group of the same hashes with different content.

[MadTechie]

but I can get a group of the same hashes with different content.

Agreed!

I gave an example of this here in this thread

EDIT: maybe we should move this thread to Miscellaneous

[.josh]

omg we need a mod to permanently unsubscribe from threads.