{"id":529,"date":"2021-11-26T06:21:08","date_gmt":"2021-11-26T05:21:08","guid":{"rendered":"https:\/\/infosecscout.com\/?p=529"},"modified":"2023-11-22T13:00:11","modified_gmt":"2023-11-22T12:00:11","slug":"can-hashed-passwords-be-decrypted","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/can-hashed-passwords-be-decrypted\/","title":{"rendered":"Can Hashed Passwords Be Decrypted? (Not as safe as you think)"},"content":{"rendered":"\n<p>Most of the time, the passwords you use on your favorites websites are not stored in plain text. They are first hashed for security reasons. But if someone gets access to the database with all logins and passwords, can the passwords be decrypted? That&#8217;s what&#8217;s we&#8217;ll talk about in this article.<\/p>\n\n\n\n<p><strong>As a general rule, passwords are stored by using a non-reversible hashing algorithm, so they can&#8217;t be decrypted directly. Some solutions exist to try to recover the plain text version of a hashed password, but it&#8217;s generally time-consuming and without any guarantee.<\/strong><\/p>\n\n\n\n<p>I&#8217;ll explain everything in details in the following (passwords storage, hashing algorithm and reversibility), feel free to skip some sections if you already know them pretty well.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/can-hashed-passwords-be-decrypted\/#How_Are_Passwords_Stored\" title=\"How Are Passwords Stored?\">How Are Passwords Stored?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/can-hashed-passwords-be-decrypted\/#How_Do_Hashing_Algorithms_Works\" title=\"How Do Hashing Algorithms Works?\">How Do Hashing Algorithms Works?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/can-hashed-passwords-be-decrypted\/#Theory\" title=\"Theory\">Theory<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/can-hashed-passwords-be-decrypted\/#Try_it_yourself\" title=\"Try it yourself!\">Try it yourself!<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/can-hashed-passwords-be-decrypted\/#Can_Hashed_Passwords_Be_Decrypted\" title=\"Can Hashed Passwords Be Decrypted?\">Can Hashed Passwords Be Decrypted?<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Are_Passwords_Stored\"><\/span>How Are Passwords Stored?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Developers will first convert the plain text password into an encrypted version of it, by using a hashing function of their choice. Then, they&#8217;ll store the hashed version in a database, associated with your login or email address.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"558\" height=\"171\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2020\/09\/md5-hashs.jpg\" alt=\"\" class=\"wp-image-202\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2020\/09\/md5-hashs.jpg 558w, https:\/\/infosecscout.com\/wp-content\/uploads\/2020\/09\/md5-hashs-300x92.jpg 300w\" sizes=\"(max-width: 558px) 100vw, 558px\" \/><\/figure><\/div>\n\n\n\n<p>Hashing functions will turn your plain text password (&#8220;lovemom123&#8221;) into a new sequence of character that may seem random at first sight (something like &#8220;127c9a696ed93cd06cca726a862c3127&#8221;). This way, developers will never see your real password, and if the database or storage is hacked, it will be safer as the hacker won&#8217;t get direct access to all emails and passwords directly.<\/p>\n\n\n\n<p>It&#8217;s not perfect, as we&#8217;ll see later in this article, but it&#8217;s a pretty good process to avoid most issues.<\/p>\n\n\n\n<p>I have a complete article on this topic if you are interested, so I won&#8217;t be longer here: <a href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/\" data-type=\"post\" data-id=\"514\" target=\"_blank\" rel=\"noreferrer noopener\">How Are Passwords Stored? (5 Methods Used by Developers)<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Do_Hashing_Algorithms_Works\"><\/span>How Do Hashing Algorithms Works?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>A hashing algorithm is a cryptographic function that convert any input of data to a fixed-size representation of this input data, what is named the hash. <\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Theory\"><\/span>Theory<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>As an example, one of the most popular hashing algorithm is MD5. It will turn any input file or string to a 32 hexadecimal characters string (<a href=\"https:\/\/infosecscout.com\/how-md5-decryption-works\/\" data-type=\"post\" data-id=\"31\" target=\"_blank\" rel=\"noreferrer noopener\">more details here<\/a>). It means that whatever the length of your password, or the size of your ZIP archive, it can generate a 32 characters string from it.<\/p>\n\n\n\n<p>Obviously, as the size of the output data is limited to 32 characters, collisions exist. It means that two different input files (or string to a lesser extent) can produce the same hash result (<a href=\"https:\/\/infosecscout.com\/two-passwords-same-hash\/\" data-type=\"post\" data-id=\"519\" target=\"_blank\" rel=\"noreferrer noopener\">read my article about this<\/a>):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"481\" height=\"101\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/05\/md5sum-differ.jpg\" alt=\"\" class=\"wp-image-403\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/05\/md5sum-differ.jpg 481w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/05\/md5sum-differ-300x63.jpg 300w\" sizes=\"(max-width: 481px) 100vw, 481px\" \/><\/figure>\n\n\n\n<p>But the probability to have this kind of issue is so low that it doesn&#8217;t really matter, especially for passwords that are generally shorted than the output string.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Try_it_yourself\"><\/span>Try it yourself!<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you are new to this and want to play with it a bit, heads to <a rel=\"noreferrer noopener\" href=\"https:\/\/www.md5online.org\/md5-encrypt.html\" target=\"_blank\">MD5Online<\/a> and try to create hashes with a few words. It&#8217;s fun, and it&#8217;s the best way to remember this.<\/p>\n\n\n\n<p>Each time you enter a different word in the form, you&#8217;ll get a new hash, the corresponding MD5 value of the word you typed. MD5 is less and less used to save passwords, but it&#8217;s the same idea for any algorithm.<\/p>\n\n\n\n<p>Back to your main question now, is it safe enough?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Can_Hashed_Passwords_Be_Decrypted\"><\/span>Can Hashed Passwords Be Decrypted?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Hashed passwords can&#8217;t be decrypted. The hashing functions are not reversible, so there is no way to directly get back a password from its hashed representation. However, some algorithms are less secure than other, and strategies like brute-force or rainbow tables may still work to recover some passwords.<\/strong><\/p>\n\n\n\n<p>I also need to explain something important: hashing and encryption are not the same thing.<\/p>\n\n\n\n<ul><li><strong>Encryption<\/strong>: it&#8217;s a two-way function, so anything that is encrypted can be decrypted by using the same key.<br>Ex: OpenSSL, Drive Encryption, etc.<\/li><li><strong>Hashing<\/strong>: it&#8217;s a one-way function, there is basically no-way to recover the original password.<br>Ex: MD5, SHA-1, etc.<\/li><\/ul>\n\n\n\n<p>As passwords are stored using a hashing algorithm, they can be decrypted, they are not &#8220;encrypted&#8221;.<\/p>\n\n\n\n<p>The warning I mention here, is that some algorithms are no longer safe enough to be used to store passwords. For example, there are databases of billion of passwords existing for the MD5 algorithm, so it&#8217;ll be easy to recover a password stored in MD5 without salt (here is a <a href=\"https:\/\/www.md5online.org\/md5-decrypt.html\" target=\"_blank\" rel=\"noreferrer noopener\">free decryption tool for MD5<\/a> as an example).<\/p>\n\n\n\n<p>It&#8217;s the same thing with most &#8220;fast&#8221; algorithms. Current computers can generate countless hashes in one second, so any algorithm that is not time-consuming for the computer (CPU or graphic card), it&#8217;s generally not the safest. If your home computer can generate millions (or billions) hashs per second, imagine what a super computer can do.<\/p>\n\n\n\n<p>I explain different strategies <a href=\"https:\/\/infosecscout.com\/how-to-brute-force-a-password\/\" data-type=\"post\" data-id=\"56\" target=\"_blank\" rel=\"noreferrer noopener\">on this page<\/a>, and in more details in <a href=\"https:\/\/www.md5online.org\/ebook.html\" target=\"_blank\" rel=\"noreferrer noopener\">my book that you can find here<\/a>.<\/p>\n\n\n\n<p>That&#8217;s how we get that kind of result, leading to the recommendation to use at least 15 characters passwords:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"1000\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords.jpg\" alt=\"\" class=\"wp-image-450\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords.jpg 1000w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-300x300.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-150x150.jpg 150w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-768x768.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<p>More details here: <a href=\"https:\/\/infosecscout.com\/is-md5-easy-to-crack\/\" data-type=\"post\" data-id=\"449\" target=\"_blank\" rel=\"noreferrer noopener\">Is MD5 Easy to Crack? (and how long does it really takes)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Most of the time, the passwords you use on your favorites websites are not stored in plain text. They are first hashed for security reasons. But if someone gets access to the database with all logins and passwords, can the passwords be decrypted? That&#8217;s what&#8217;s we&#8217;ll talk about in this article. As a general rule,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":536,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/decrypted-passwords-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/529"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=529"}],"version-history":[{"count":7,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/529\/revisions"}],"predecessor-version":[{"id":538,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/529\/revisions\/538"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/536"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}