1

MD5 is a hash, so it is a one-way cryptographic function. But I am not sure that MD5 has only one hash per input?

Web application stores the passwords hashed with MD5, but when the user enters the password how can the application give access to that user? As the users password will be a hash with another string which is different from the older one.

And how do MD5 dictionaries work? We can get the reverse of the input, but how does it actually work?

januu agrawal
  • 81
  • 2
  • 8
  • 1
    It's not very clear what you're asking here: md5(1) will always give the same output. There is likely to be some other value which you can apply the md5 function to and get the same output hash, but that's OK - it's called a collision, and all general purpose hash functions have them, if you hash enough different values. – Matthew Oct 23 '17 at 16:28
  • The web application hashes the entered password and compares the resulting hash with the stored hash in the database. – Arminius Oct 23 '17 at 16:30
  • okay @Arminius then please tell me that "Is it possible to get one same hash value of the same input?" – januu agrawal Oct 23 '17 at 16:33
  • @januuagrawal Yes, the same input always produces the exact same hash value (for the same hash function, of course). – Arminius Oct 23 '17 at 16:38
  • So, in the login form the Web application uses hash collision? @Arminius And please if so then answer my second confusion which i added above. Thank you – januu agrawal Oct 23 '17 at 16:40
  • Sorry, I misread your comment. Hash collisions are not relevant for verifying hashed passwords. I clarified my comment. – Arminius Oct 23 '17 at 16:41
  • Yeah i saw that. And what about the second confusion. Please see the question again. :) – januu agrawal Oct 23 '17 at 16:45
  • A hash is a (mathematical) function; each input is related to exactly one output. – Mark Beadles Oct 23 '17 at 16:46
  • otoh: if you did find a hash collision, yes, you could login with a different password than the user knows. – dandavis Oct 24 '17 at 06:36

1 Answers1

5

MD5 is deterministic, meaning that if you hash the same input multiple times you will always get the same answer. So to see if a password provided by the client is correct, the server can just hash it again and see if the hash is the same as the stored hash.

Similarly, a MD5 dictionary works because someone has hashed common passwords and stored the results. If your hash is in the list, you can just look it up and see what input it corresponds to.

I think your central misunderstanding is that MD5 could give different results for the same input. It does not.

Also note that MD5 is not a safe algorithm to use for password storage. For how to do password hashing right, see this question.

Anders
  • 65,582
  • 24
  • 185
  • 221