security - How is it possible to have these reversed hashes available on the web?

Question

If these hashing algorithms are one-way functions, how is it possible to have these reversed hashes available on the web? What is the reverse hashing procedure used by those lookup sites?

Answer 1

When we say that a hash function h is a one-way function, we mean that

• given some fixed string w, it's "easy" to compute h(w), but
• given f(x) for some randomly-chosen string x, it's "hard" to find a string w where f(w) = f(x).

So in that sense, if you have a hash of a string that you know literally nothing about, there is no easy way to invert that hash.

However, this doesn't mean that, once you hash something, it can never be reversed. For example, suppose I know that you're hashing either the string YES or the string NO. I could then, in advance, precompute h(YES) and h(NO), write the values down, and then compare your hashed string against the two hashed values to figure out which string you hashed. Similarly, if I knew you were hashing a number between 0 and 999,999,999, I could hash all those values, store the results, then compare the hash of your number against my precomputed hashes and see which one you hashed.

To directly answer your question - the sites that offer tables of reversed hashes don't compute those tables by reversing the hash function, but rather by hashing lots and lots and lots of strings and writing down the results. They might hash strings they expect people to use (for example, the most common weak web passwords), or they may pick random short strings to cover all possible simple strings (along the lines of the number hashing example from above).