If i generate a MD5 hash of a string and then truncate it to 25 characters, will it be possible to bruteforce it? Is it comparatively safe as salting the hash?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If i generate a MD5 hash of a string and then truncate it to 25 characters, will it be possible to bruteforce it? Is it comparatively safe as salting the hash?
I’m not a crypto expert but I would imagine truncating would be somewhat similar to salting. When you salt, your padding your input data with random data, then generating a hash value. So essentially,
This random salt obviously affects the hash value returned, so if you had “password” as your password, with a salt, your hash value would be completely different than the hash value derived from the password, “password” without salt added. That being said, an attack would need to guess how the salting was implemented, and then brute force the salt/password combo. So the attacker would have to know where in the string the salt was placed, so was it…
If they can guess that somehow, they would then need to brute force password + salt values.
Extremely computationally intensive!
So if you truncate your hash, there is still some guess work to be done, albeit not as much work perhaps. Consider the md5 hash value you get, you change just a few characters and your hashes change seemingly completely.
For instance,
It is safe to say that most inputs will have an exclusively unique hash value. If your truncation was static, lets say, truncate from 32 characters to 25. The attacker is going to need to know where and how the truncation happens. Is it sliced from the end or front? Randomly picked from the hash? However, given that the hash values will generally be very different you could implement some probabilities.
For instance, take the cat hash. I truncate 7 characters from the end…
Given the fact that these hashes generally vary completely, the truncation wouldn’t help a whole lot. I could write a short script that would check your truncated hashes against full hashes of random input data to see if there is a x% match or something. If I hashed cat, and your truncated hash matched 25 out of 32 characters of my cat hash, I would say with great certainty that your truncated hash is for the word cat, and I would just fill in the truncated part with the rest of my cat hash.
Everything I said here is just me spit balling in my mind. I am no crypto/security expert by any means. I just dabble with random security stuff. Take it or leave it 🙂 Hope it brings some clarity.
Soooo, I would much rather implement my own salting solution, than truncate. If your looking to truncate to save a few bytes of room, implement salt than truncate!