Hi

<..start of cold sweat..>

I came across a frightening url the other day that if you paste your md5() hash into it, it will print out your original password, I thought md5() was un-reversible? I use md5 for storing general passwords in the database for logging in and such things but thought that you could only compare the hash and not get the originating text?

One plus point that I found is that it if use a concatenation ie

$hash = md5($var1.$var2);

..and then get the hash and paste it into the site it doesn't get the two, but if you use just plain text it will find it every time.

The site in question is http://md5.rednoize.com/

and I found it in a new PHP security book by O'Reilly (sorry Wrox), but wondered if I am missing something here as I thought that I read that md5() had 360 million combinations or something?

Would like your feedback on this?

</..end of cold sweat..>

David

Follow up............found that it doesn't break them all just the simple words that you use. If you copy a decent password (hashed) into it with 7+ characters and the usual alpha-numeric patterns then it doesn't get them, so I guess that if you use good practice with your passwords then you should be OK, but still found it alarming as thought md5() was bullet-proof!