不。MD5不是加密(尽管它可能被用作一些加密算法的一部分)，它是一个单向哈希函数。作为转换的一部分，大部分原始数据实际上“丢失”了。

Think about this: An MD5 is always 128 bits long. That means that there are 2128 possible MD5 hashes. That is a reasonably large number, and yet it is most definitely finite. And yet, there are an infinite number of possible inputs to a given hash function (and most of them contain more than 128 bits, or a measly 16 bytes). So there are actually an infinite number of possibilities for data that would hash to the same value. The thing that makes hashes interesting is that it is incredibly difficult to find two pieces of data that hash to the same value, and the chances of it happening by accident are almost 0.

A simple example for a (very insecure) hash function (and this illustrates the general idea of it being one-way) would be to take all of the bits of a piece of data, and treat it as a large number. Next, perform integer division using some large (probably prime) number n and take the remainder (see: Modulus). You will be left with some number between 0 and n. If you were to perform the same calculation again (any time, on any computer, anywhere), using the exact same string, it will come up with the same value. And yet, there is no way to find out what the original value was, since there are an infinite number of numbers that have that exact remainder, when divided by n.

That said, MD5 has been found to have some weaknesses, such that with some complex mathematics, it may be possible to find a collision without trying out 2128 possible input strings. And the fact that most passwords are short, and people often use common values (like "password" or "secret") means that in some cases, you can make a reasonably good guess at someone's password by Googling for the hash or using a Rainbow table. That is one reason why you should always "salt" hashed passwords, so that two identical values, when hashed, will not hash to the same value.

一旦一段数据通过哈希函数运行，就没有回头路了。

理论上，你不能。哈希的意义在于它是单向的。这意味着如果有人设法获得哈希列表，他们仍然无法获得您的密码。此外，这意味着即使有人在多个网站上使用相同的密码(是的，我们都知道我们不应该这样做，但是……)任何访问站点A的数据库的人都不能在站点B上使用该用户的密码。

The fact that MD5 is a hash also means it loses information. For any given MD5 hash, if you allow passwords of arbitrary length there could be multiple passwords which produce the same hash. For a good hash it would be computationally infeasible to find them beyond a pretty trivial maximum length, but it means there's no guarantee that if you find a password which has the target hash, it's definitely the original password. It's astronomically unlikely that you'd see two ASCII-only, reasonable-length passwords that have the same MD5 hash, but it's not impossible.

MD5是一个不好的哈希密码:

它的速度很快，这意味着如果你有一个“目标”散列，尝试很多密码，看看你是否能找到一个散列到目标的密码是很便宜的。盐析对这种情况没有帮助，但它有助于增加寻找与使用不同盐析的多个哈希中的任何一个匹配的密码的代价。 我相信它有已知的缺陷，这使得它更容易发现冲突，尽管在可打印文本(而不是任意二进制数据)中发现冲突至少会更困难。

我不是安全专家，所以除了“不要使用自己的身份验证系统”之外，我不会给出具体的建议。从信誉良好的供应商那里找一个，然后使用它。安全系统的设计和实现都是一项棘手的工作。

It is not yet possible to put in a hash of a password into an algorithm and get the password back in plain text because hashing is a one way thing. But what people have done is to generate hashes and store it in a big table so that when you enter a particular hash, it checks the table for the password that matches the hash and returns that password to you. An example of a site that does that is http://www.md5online.org/ . Modern password storage system counters this by using a salting algorithm such that when you enter the same password into a password box during registration different hashes are generated.

是的，你所要求的一切都是可能的。 在没有帮助的情况下“解密”MD5密码是不可能的，但是可以将MD5密码重新加密到另一种算法中，只是不能一蹴而就。

您要做的就是让用户能够使用旧的MD5密码登录到新系统。在他们登录时，他们已经给了你的登录程序一个未加密的密码版本，你证明与你拥有的MD5哈希匹配。然后，您可以将这个非散列密码转换为新的散列算法。

显然，这是一个扩展的过程，因为您必须等待用户告诉您密码是什么，但它确实有效。

(注意:七年后，哦，希望有人会发现它有用)

不直接。由于鸽子洞原理，有(可能)不止一个值散列到任何给定的MD5输出。因此，你不能肯定地扭转它。此外，MD5是为了使查找任何这样的反向哈希变得困难(然而，已经有产生冲突的攻击-也就是说，产生两个哈希到相同结果的值，但您无法控制最终的MD5值是什么)。

但是，如果将搜索空间限制为长度小于N的普通密码，则可能不再具有不可逆性属性(因为MD5输出的数量远远大于感兴趣域中的字符串数量)。然后，您可以使用彩虹表或类似的反向哈希。

不，不可能反转诸如MD5这样的哈希函数:给定输出哈希值，除非已知关于输入消息的足够信息，否则不可能找到输入消息。

解密不是为哈希函数定义的函数;加密和解密是CBC模式下AES等密码的功能;哈希函数不加密也不解密。哈希函数用于摘要输入消息。顾名思义，没有反向算法可以设计。

MD5 has been designed as a cryptographically secure, one-way hash function. It is now easy to generate collisions for MD5 - even if a large part of the input message is pre-determined. So MD5 is officially broken and MD5 should not be considered a cryptographically secure hash anymore. It is however still impossible to find an input message that leads to a hash value: find X when only H(X) is known (and X doesn't have a pre-computed structure with at least one 128 byte block of precomputed data). There are no known pre-image attacks against MD5.

It is generally also possible to guess passwords using brute force or (augmented) dictionary attacks, to compare databases or to try and find password hashes in so called rainbow tables. If a match is found then it is computationally certain that the input has been found. Hash functions are also secure against collision attacks: finding X' so that H(X') = H(X) given H(X). So if an X is found it is computationally certain that it was indeed the input message. Otherwise you would have performed a collision attack after all. Rainbow tables can be used to speed up the attacks and there are specialized internet resources out there that will help you find a password given a specific hash.

It is of course possible to re-use the hash value H(X) to verify passwords that were generated on other systems. The only thing that the receiving system has to do is to store the result of a deterministic function F that takes H(X) as input. When X is given to the system then H(X) and therefore F can be recalculated and the results can be compared. In other words, it is not required to decrypt the hash value to just verify that a password is correct, and you can still store the hash as a different value.

重要的是使用密码哈希或PBKDF(基于密码的密钥派生函数)来代替MD5。这样的函数指定如何将盐和散列一起使用。这样就不会为相同的密码(来自其他用户或其他数据库)生成相同的散列。由于这个原因，密码哈希也不允许使用彩虹表，只要盐足够大并且正确随机。

Password hashes also contain a work factor (sometimes configured using an iteration count) that can significantly slow down attacks that try to find the password given the salt and hash value. This is important as the database with salts and hash values could be stolen. Finally, the password hash may also be memory-hard so that a significant amount of memory is required to calculate the hash. This makes it impossible to use special hardware (GPU's, ASIC's, FPGA's etc.) to allow an attacker to speed up the search. Other inputs or configuration options such as a pepper or the amount of parallelization may also be available to a password hash.

然而，它仍然允许任何人验证给定H(X)的密码，即使H(X)是密码哈希。密码哈希仍然是确定的，所以如果有人知道所有的输入和哈希算法本身，那么X可以用来计算H(X)，并且-再说一次-结果可以进行比较。

常用的密码散列有bcrypt、scrypt和PBKDF2。还有各种形式的Argon2，它是最近密码哈希竞赛的赢家。在CrackStation上有一篇很好的关于密码安全的博文。

可以使对手无法执行哈希计算来验证密码是否正确。为此，可以使用胡椒作为密码散列的输入。或者，哈希值当然可以使用AES等密码和CBC或GCM等操作模式进行加密。然而，这需要独立存储秘密/密钥，并且比密码哈希有更高的访问要求。