How to Decrypt MD5 Passwords in PHP?

If you are new in the MD5 world, you probably ask yourself how to decrypt MD5 passwords after encrypting them
In this post, I’ll show you how to do this, but you probably need an explanation about the MD5 algorithm before 🙂

How to Decrypt MD5 Passwords in PHP?
The MD5 cryptographic algorithm is not reversible
That’s to say you can encrypt a word into MD5, but not decrypt a MD5 hash to get the word back
If you are using MD5 in the code to validate passwords, you must do this differently

I’ll remind you what is the MD5 algorithm and why you can’t reverse it to find the password
Then I’ll show you how to validate password in your code (with PHP samples)
And finally, I’ll show you how to use the MD5Online API to find lost passwords

What is MD5?

MD5 encryption

MD5 is an algorithm that will generate a 32 characters string (hexadecimal) for any word or phrase you’ll give in input
You can even encrypt an entire file into a MD5 hash

Here is an example:

MD5("MD5Online") = d49019c7a78cdaac54250ac56d0eda8a

If you are interested by the encryption algorithm, you can check the Wikipedia page
But for the moment you just have to remember that there is an infinite possibility of input for a finite output  possibilities (always 32 characters)

So, the MD5 output is not unique, and you can’t reverse it
But we’ll see in the next paragraph how the decryption works

MD5 decryption

You must be saying, “If decryption is impossible, how does MD5Online work?”

In fact, the good answer is:

  • There is no decryption algorithm, the function md5_decrypt() doesn’t exist
  • But every encryption process gives the same result

So I now know that the MD5 hash corresponding to “MD5Online” is d49019c7a78cdaac54250ac56d0eda8a (previous part)
If someone asks me to decrypt this hash, I’m able to answer that there is a good chance that “MD5Online” is the encrypted word

That is how the MD5 decryption tool is working on MD5Online
We have a giant database of known MD5 hash, so we can find the result for a lot of hash

The answer to your question is: no, it’s not really possible to decrypt MD5 passwords in PHP
So, how can you validate user passwords if you can’t decrypt the database field?

How to validate  MD5 passwords?

Theory

The MD5 algorithm is very fast
So you can use it where you want, without slow down your website

That’s why we were using MD5 to store passwords in database
And so to validate them, you can encrypt the input password, and check it with the database one

The pseudo-code will look like this:

IF (MD5(INPUT_STRING) == DATABASE_PASSWORD)
THEN LOGIN()

I’ll show you in the next paragraph how to manage the two steps with PHP

PHP/MySQL samples

Create a user account

The first step is to create a user account
To do this, you need to create a database, with at least two fields: user name and password

For example, in MySQL, you can create something like this:

CREATE TABLE IF NOT EXISTS `users` (
  `username` varchar(32) NOT NULL,
  `password` varchar(32) NOT NULL,
  PRIMARY KEY (`username`)
)

The password will be MD5 encrypted, so it will always be 32 characters length

To create a new user with PHP, you have to do something like that:

mysqli_query("INSERT INTO users (username, password) 
VALUES ('".$_POST['username']."','".md5($_POST['password'])."'"));

You probably already done that, you just need to use the md5() function to encrypt the password
I recommend using salt with MD5 but it’s not mandatory to understand the process

Obviously, before that, you need to connect to your MySQL database server, probably clean the $_POST data, and create a form in HTML to register the user
But we are not here for a basic PHP lesson 🙂

Validate the user password

Then come the part you didn’t know before reading this article
In the login process, you need to compare the input password to the database password

Here is what you can do:

$query = mysqli_query("SELECT * FROM users 
WHERE username='".$_POST['username']."' 
AND password='".md5($_POST['password'])."');

if(mysqli_num_rows($query)) {
   //connect
}
else {
   //bad password
}

So again, we’ll use the md5() function to encrypt the password before login the user
So we can check that the input password is the same than in the database

At no time is it necessary to decrypt the password stored in the database

How to finally decrypt passwords in PHP? (API)

If you still need to decrypt a high number of MD5 passwords for another reason that the one we just seen, I have a solution for you

MD5Online offer an API you can use in PHP (or with other languages) to send requests directly in our database
That way you can decrypt a lot of MD5 encrypted passwords automatically

This is a paid service, if you are interested you will find more info on this page

As soon as you have your VIP key, you can use this sample code:

<?php
$url = 'https://www.md5online.org/api.php';
$key = 'YOUR_VIP_KEY';

//manage your input here, from a form, a file or a database
$md5 = "d3c8e06e57cc1af7ebdba01427e62bc2";

$result = file_get_contents($url."?p=".$key."&h=".$md5);

//do your post action here, with the result
echo $result;
?>

I’ll let you adding a loop, and maybe a query to get all the passwords at once from your database
But you have here the minimal part to use the MD5Online API in PHP

Conclusion

That’s it, you now know how to decrypt MD5 passwords in PHP
Or rather how to use them without decrypting them

But I also give you a way to really decrypt them with the MD5Online API

I hope you enjoy this article, feel free to share if it was helpful 🙂