I’ve noticed that my page about xdecrypt.com has picked up quite a lot of traffic with people asking the same question, so I’ve decided to write this to post to explain what xdecrypt.com is.
Whenever you logon anywhere with your username or email address and password that site has to store those details to make sure you are who you say you are. In storing those details you have to make sure that they are safe from prying eyes.
For instance lets use Facebook as our example. You logon with your email address and your password. There is a danger when you store peoples passwords that someone could get access to that file and have all the passwords for all your users which is really not good.
So in order to get around storing passwords in what is described as “plain text” (ie you can look at the file and know the password), computers do something called a “Hash Function“. In a basic form this is a mathematical formula which changes your password into something not readable and stores that value.
Now here’s the clever bit. The mathematical formula is that good that every single different password has a completely different hash value. I’ve converted two words “password” and “Password” (notice the capital?) into MD5 hash.
- dc647eb65e6711e155375218212b3964 = Password
- 5f4dcc3b5aa765d61d8327deb882cf99 = password
They both look completely different and thats the beauty of it. Those two very similar passwords look totally different.
Back to our Facebook example, so Facebook stores your password as a Hash function in it’s database. You type in your username and password, Facebook converts what you’ve typed in as your password into a Hash, if that Hash and the stored Hash are the same it will let you login. All done without storing your password as plain text.
This is where xdecrypt.com comes in. If you go on the site and copy and paste those two hashed strings, they’ll give you the password. Xdecrypt.com is a huge database full of what password goes with what hash.
So who uses xdecrypt.com? Probably lots of people. System administrators can use it to test their passwords are secure, guys who write software can use it to make sure that their systems are secure. Bad guys may use it if they get a whole pile of hash values they need to reverse engineer.
There is more to it, hashing is a part of cryptography, and cryptography is a huge subject area. In our Facebook example above there are steps that they have taken to prevent you from doing just what I’ve written. It’s by using a processes call “Salt“. That still doesn’t mean you should relax when it comes to passwords, you should try to have complex passwords involving letters, numbers and punctuation.