md5 is a hash algorithm. With hash algorithms you can determine a hash value for text/files of any length, a kind of fingerprint. This fingerprint is always the same length (128 bits for md5), and the same file/text results in the same fingerprint. As soon as only one character changes in the text (case sensitive), the fingerprint looks completely different.
What is special about the fingerprint/hash value, at least with md5, is that you cannot convert a hash value back into the text. In other words, you can't 'decrypt' such a hash value again.
This has several reasons, one is that a hash value is not unique, so two completely different texts can have the same hash value. But the probability is very low, because there are about 3.4 * 10 38 (a number with 39 digits) different hash values.
It is more likely that the same numbers will be drawn five times in a row in the lottery.
Hmm I now get a hash value from a text, but I can't decipher this hash value again, what should I do with it?
As we know, a text always has the same hash value. You can use this for passwords, because you shouldn't store them unencrypted.
If a visitor registers with a password now, we determine the hash value of the password via md5 and then save only the hash value.
If the user wants to log in later, he gives his password then, from this we determine again the hash value, and if the hash value of the login is the same as the stored value, then the user has entered the correct password, otherwise not.
No, you can retrieve information from a hash value.
Using brute force, you can convert any theoretically possible password into the md5 hash value. If the stored hash value is then the same as the one you just tested, the program outputs the text you just tested, because it has memorized it beforehand (stored in a variable).
Therefore, it is important to use long passwords that do not come from a dictionary.
In the future it might be possible to crack md5 hash values very easily, or you can calculate another text with the same hash value. But as far as I know, there is still a public solution/theory that could be applied.
Brute Force can take several hundred years with long passwords (10 or more characters).
Thanks to PHP we can easily use this function, because the algorithm already exists in PHP.
The PHP code looks like this:
$text = "SEO-Tools";
$md5 = md5($text);
This is a difficult question, in any case you should never use a password found in the dictionary.
Furthermore, you should use as many different characters as possible, i.e. small and capital letters, numbers and special characters.
Because md5 makes a difference between A and a.
Then the password should not be too short. An alpha-numeric (letters and numbers) password with 8 characters can be cracked in 2 days.
So it should use at least 10 characters, because then it takes about 5 years. If you have special characters and capital letters in your password, this security is increased again.
Another trick are so-called passpharsen. These are small sentences which one takes as password. These passphrases should not make sense.
E.g. such a sentence: The small car hammers the beautiful chair.
Here it is again important to use several words. Otherwise he will not use the alphabet for the Brute Force attack, but a dictionary and then combine the words with it. But for our password it would take about 10 billion years.
Of course an admin can come up with a few common things to make it difficult for an attacker to crack the password.
Strangers should never be able to see the encrypted passwords, if you have to store the passwords in a text file, you should hide the file as well as possible and not give names like passwort.txt.
It would also be smarter to store the passwords in a PHP file, like this:
If you read this file line by line, then simply remove <?php at the beginning and you already have the login data. If an attacker calls this file now, he only gets an error message and not the valuable login data.
If the attacker does not have the password file, he would have to try to crack the password via the log form, which is a lot harder, because then you can only test about 30 - 80 passwords per second, depending on your internet connection. The passwords are best stored in a database or the password file is in a password-protected folder or in a folder that only the server can open/read.
As already mentioned, unfortunately many people use a bad password and this password for several services.
So if an attacker gets to the hash value and cracks it, he can do a lot of damage.
One way to prevent this is to 'improve' your hash function.
Here it is simply checked how often someone tries to log in. If someone tries to log in 10 times (without success), his username will be locked for the next 10 minutes.
This promises a very high level of protection, but can annoy other people by locking their username all the time.
You can also block the entire user name and send him a mail with an activation link to reactivate his user name.
Another possibility would be to block the IP for a certain time, but there are proxy's that allow you to change your IP. If the attacker then has 10 wrong login attempts, the next IP is simply taken.
This means that you generate a small image via PHP, with a certain content. The user then has to enter this content into another text field to log in.
This makes life much more difficult for an attacker (cracker), because machines often have problems reading the content of the image correctly, but only if you consume the text a bit. Just say a few thin bars in front of the letters, use different text sizes, etc. The human can still read it, but for a PC too good as impossible.