B4J Tutorial [BANano] MD5 Encryption - Getting the Md5 Hash of a string

Ola

Was recently requested to look at this by a friend, for encryption

1. Download this repo here to get the md5 javascript resource

https://github.com/blueimp/JavaScript-MD5

2. In your BANano project, add the javascript file

BANano.Header.AddJavascriptFile("md5.min.js")

3. Add this code to your code module in your project

'get md5hash
Sub Md5Hash(value As String, key As String, raw As Boolean) As String
    Dim res As Object = BANano.RunJavascriptMethod("md5", Array(value, key, raw))
    Return res
End Sub

4. Usage

Log(Md5Hash("TheMash", Null, False))
    Log(Md5Hash("TheMash", "AneleMbanga", False))
    Log(Md5Hash("TheMash", Null, True))
    Log(Md5Hash("TheMash", "AneleMbanga", True))

5. Output.

One can use this to store hashed passwords in the database, checksums to verify data integrity, detect unintentional data corruption depending on the complexity ones need.

Enjoy.

 

[alwaysbusy]

I guess this is transpiled by BANano. Isn't your password exposed then?

 

[Mashiane]

I guess this is transpiled by BANano. Isn't your password exposed then?

Because hashing is one way, one can implement this by...

1. On a user registration screen, you ask for the password, you don't save the actual password on the db but then hash it and save the hashed password on the db using this option for example.

Dim save2db As string = Md5Hash(<UserPassword>, Null, False))

2. On the login screen, you ask the password of the user, this is then hashed using the same hash method you did for the registration.

3. You then compare the hashed value in the db and the one the user is using to login. If the hash values match, then a successful login is ensured, if not the passwords do not match and no login is done.

In both cases, the real password never actually gets revealed.

In this scenario, you have a system that DOES NOT KNOW peoples passwords like MegaSync for example.

 

[Mashiane]

An interesting article about MD5 and passwords.

https://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/

It seems the stronger the password is and hash method used e.g. with a key, the more difficult it is to reverse/decrypt.

 

[alwaysbusy]

And the DB is on the server side of course because MD5 is vulnerable to brute force attacks and as it is a fast hash, one can relatively quick find a plain text match that generates a desired hash, especially with passwords.

It is always better to do all encryption on the server side using something strong like bcrypt and you can protect yourself against brute force attacks e.g. with a DoS filter.

 

[Mashiane]

Well said, @alwaysbusy and people realizing this, have created things like HashToolkit, https://hashtoolkit.com to decrypt these hashes back to their original values.

Thanks for the feedback.

 

[joulongleu]

Hi: Mashiane,After trying for a few days, it finally works,Thank You very much.

 

[Mashiane]

More on this topic here, https://www.b4x.com/android/forum/t...-types-4-algorithm-plus-1.112222/#post-699732

 

[ilan]

Well said, @alwaysbusy and people realizing this, have created things like HashToolkit, https://hashtoolkit.com to decrypt these hashes back to their original values.

Thanks for the feedback.

how is that possible? it should be very hard for a desktop pc (too many combinations) to decrypted HASH back to string?!?!
i know methods, where you have big HASH tables that contain common passwords and compare them but making the decryption in real-time, should be hard, right?

 

[Mashiane]

@ilan , yes it should be impossible actually. On their site, they claim have been able to decrypt the hashes.

 

[ilan]

@ilan , yes it should be impossible actually. On their site, they claim have been able to decrypt the hashes.

ok i understand what they are doing. they are not decrypt hashes what they do they have a big table wish hashes and search in this table. if the hash exists they return the string as i wrote in the post above:

i know methods, where you have big HASH tables that contain common passwords and compare them

as you can see they are searching IN 20.460.908.791DECRYPTED HASHES.

this is a known method where hackers are using tables of common words like from a dictionary book or phone book and run there hashes and compare with the hashes they stole from db's and like this return the password. you know that a computer can calculate about 20 billion hashes/second so thats a lot!! that means that in less then 1 second you can create all phone numbers from a public phone book and all words in a dictionary + many many words combination. this is why we should use salting.

salting = create a random string and include it in your db. then hash the user password + salting string and save it as the hash value in your db. like this you can avoid different users have the same Hash value. to get a higher security level use Salt Rounds with bcrypt as @alwaysbusy already recommended above.

very interesting topic