> With the hash you can identify matching records but you cannot create a record from the hash.
I always chuckle when I see someone saying this. A buddy of mine (email marketer) tried to convince me that his 50 million large email database is "well protected" because they are using "industry standard md5 encryption". Of course its not encryption but rather hashing. He was so sure of his, erm, encryption, that he send me the whole database and said "here, crack it".
I found a large hacked Facebook email database online, run few python scripts to weed us most combinations of usernames (name+numbers, numbers+name, numbers+some random chars, etc) and some 1000 generic email domains names (like gmail.com, yahoo.com, etc). It took my regular i9 five days to go thru the whole 50M of md5s and compare each combination of usernames + domains names. Oh boy his shock when I returned some 70% "unencrypted" plain text emails back to him :)
Bottom line is, if there is some "industry standard" of hashing data, then there are ways to unhash it. Yes in many cases it may be in millions of years to circle thru all possibilities, but if your standard is first name + last name + email address (and all caps), then you can easily plug database of names and download millions of email records online and narrow down your hashing search greatly.
I always chuckle when I see someone saying this. A buddy of mine (email marketer) tried to convince me that his 50 million large email database is "well protected" because they are using "industry standard md5 encryption". Of course its not encryption but rather hashing. He was so sure of his, erm, encryption, that he send me the whole database and said "here, crack it".
I found a large hacked Facebook email database online, run few python scripts to weed us most combinations of usernames (name+numbers, numbers+name, numbers+some random chars, etc) and some 1000 generic email domains names (like gmail.com, yahoo.com, etc). It took my regular i9 five days to go thru the whole 50M of md5s and compare each combination of usernames + domains names. Oh boy his shock when I returned some 70% "unencrypted" plain text emails back to him :)
Bottom line is, if there is some "industry standard" of hashing data, then there are ways to unhash it. Yes in many cases it may be in millions of years to circle thru all possibilities, but if your standard is first name + last name + email address (and all caps), then you can easily plug database of names and download millions of email records online and narrow down your hashing search greatly.