Home/ Questions/Q 898367
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T15:01:53+00:00

Possible Duplicates: Is it possible to decrypt md5 hashes? Is it possible to reverse

  • 0

Possible Duplicates:
Is it possible to decrypt md5 hashes?
Is it possible to reverse a sha1?

i asked this question:
working with HUGE spreadsheet

and got a great answer and i followed the advice. i used this:
http://splinter.com.au/blog/?p=86

and i hashed about 300,000 different elements in a column in an excel spreadsheet

since you can do:

=SHA1HASH('The quick brown fox jumps over the lazy dog')

And you’d get back:

2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

couldnt you go backwards as well?

im saying if it encrypts the same text the same way every single time, what is the point?

if you do know the hash algorithm, is it possible to go backwards?

can you please explain to me very simply how does hashing work? how can you convert a 20gb to a 40 character hash? does it take a long time to hash a 20gb hardrive?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I see your point based on the fact that you are trying to hide Social security numbers. If someone knows you are using an SHA1HASH on the SSN to create a unique identifier, then can just generate a quick list of all SSN numbers, SHA1HASH them, then compare to automatically have the SSN of the person in the record. Even worse, they can pregenerate all these in a hash lookup table, and have a key of 1 hash for every SSN. This is called a hash lookup table, and more complex forms are called rainbow tables.

    This is why a second feature of hashing was invented. It is called salting. Salting is basically this; you create a salt, then modify your data using the salt.
    For instance, say you had the SSN 123-45-6789 . You could salt it with the string “MOONBEAM”. Your new string for hashing is “123-45-6789MOONBEAM”

    Now, even if someone knows that you are hashing the SSN to generate your unique ID, they still don’t know the salt you will be using, and so are unable to derive the original SSN by pre-hashing a list of all SSNs and comparing to your ID. You however, can always take the user’s SSN, use the salt, and rehash the SSN+SALT to see if the user SSN matches up with their ID.

    Finally, if you use just 1 salt for everything, and keep it secret, instead of being able to see the salt, and generate the corresponding SSN by running SSN increments + salt 100 million times and picking the match, they have to do a lot more work to retrieve SSN. This is because the 100 million SSN numbers have a relatively low amount of entropy. (10^9 combinations). By adding your salt and keeping it secret, instead of just running 

    SHA1HASH(111-11-1111) -> check hash match
SHA1HASH(111-11-1112) -> check hash match
SHA1HASH(111-11-1113) -> check hash match

    They would have to run 

    SHA1HASH(111-11-1111a) -> check hash match
SHA1HASH(111-11-1111b) -> check hash match
SHA1HASH(111-11-1111c) -> check hash match
...
SHA1HASH(111-11-1111azdfg) -> check hash match
SHA1HASH(111-11-1111azdfh) -> check hash match
....
SHA1HASH(111-11-1111zzzzzzzzzzzzzzzz) -> check hash match
SHA1HASH(111-11-1112a) -> check hash match
SHA1HASH(111-11-1112b) -> check hash match

    .. and so on until they finally get to

    SHA1HASH(123-45-6789MOONBEAM) -> check hash match

    at which point they finally did manage to crack the SSN + SALT

    They don’t even know how many characters long your salt is
    So that is 10^(number of characters of your salt) times more work for them to do just to get 1 SSN, let alone get the whole table.

    Update:
    Many years later, I see that my info on salting was incorrect when I answered this question. Please see the correct info in posts and comments below about using unique salts per entry, as this is still the first post in the chain. If you think I should change the OP after reading this, leave a comment below (or upvote one), and if the consensus is there, I will correct it.

    • 0