# Re: [PHP-DB] md5 question!

```md5 returns a 32 char hexdec string.  I'm not sure where you get an 11
char alpha string from md5...```
```
Since the MD5 is 32 chars in length, with 36 possibilities for each char,
that leaves us with 36^32, or 63340286662973277706162286946811886609896461828096
or 63,340,286,662,973,276,904,018,768,749,012,366,609,829,142,200,320 after
using number_format.  What is that?  A little more than the billions of
possibilities you suggest would exist...  Hmmm, that's 63 quindecillion, or
like 63 * 10^48.  Ouch.  I think even with 3+ Ghz processors you might have
to wait a few years.  Months?  Maybe distributed, but doubtful.  Given that
it took 4 years to go through 15,769,938,165,961,326,592 keys (out of a
possible 18,446,744,073,709,551,616) to break 64
bit RSA encryption.  Thats 18 * 10^18 total possible keys.  That's a lot
less than 63 * 10^48 and it took 4 years and 331,000 computers.

http://www.pcw.co.uk/News/1135452

>From the PHP manual:
http://php.net/md5

Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5
Message-Digest Algorithm, and returns that hash. The hash is a 32-character
hexadecimal number. If the optional raw_output is set to TRUE, then the md5
digest is instead returned in raw binary format with a length of 16.

Beckman

On Tue, 24 Jun 2003 [EMAIL PROTECTED] wrote:

> Just use brute force...
> Example:
> md5('password') will ALWAYS produce the same output!
> So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB
> then I could just say:
> if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
>
> So, just start a loop going through all possible combinations od legal password
> character and encrypt with md5, then compare.
>
> Hard?  Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming
> out you'd be surprised how quickly one could loop through billlions of possible
> password combinations.  Enter distributed environments and it is much fatser.
> The key is not to rely on passwords but to rely on other system security
> messures, use SSL, so it is hard to intercept in the first place, make sure
> without you knowing about it, etc...
>
>
>
> > Marco,
> >
> > Thanks, that's what I originally thought that it was
> > one way.  So websites that have the option to retrieve
> > password don't use md5?
> >
> > I guess technically there MUST be a way to break the
> > barrier where you can reverse it.  If there is a way
> > to make it there is always a way to break it, somehow.
> >  !!!!  But what I have heard and read it's very tight
> > and probably the best method to handle passwords for
> > now, until something new is released.  Which will
> > happen when md5 is broken, like everything else after
> > a little bit of time.
> >
> > Jerry
> >
> >  --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi
> > Jerry--
> > >
> > > No, md5 is a one-way hash. That's why it's so
> > > safe--because if someone
> > > steals the information he still can't tell what the
> > >
> > > You may want to reset the passwords upon your users'
> > > request and send it
> > > to them via e-mail instead.
> > >
> > > Cheers,
> > >
> > >
> > > Marco
> > >
> > > --
> > > php|architect -- The Magazine for PHP Professionals
> > > Come try us out at http://www.phparch.com and get a
> > > free trial issue
> > >
> > >
> > > On Tue, 2003-06-24 at 08:35, JeRRy wrote:
> > > > Hi,
> > > >
> > > > If I use md5 to handle passwords to my database is
> > > > there a way to reverse the action if someone
> > > forgets
> > > > their password?  Is there a way for me to decode
> > > the
> > > > 32bit to plain text?
> > > >
> > > > Jerry
> > > >
> > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > - Check & compose your email via SMS on your
> > > Telstra or Vodafone mobile.
> > > --
> > >
> > > Marco Tabini
> > > President
> > >
> > > Marco Tabini & Associates, Inc.
> > > 28 Bombay Avenue
> > > Toronto, ON M3H 1B7
> > >
> > > Phone: (416) 630-6202
> > > Fax: (416) 630-5057
> > > Web: http://www.tabini.ca
> > >
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> >
> > http://mobile.yahoo.com.au - Yahoo! Mobile
> > - Check & compose your email via SMS on your Telstra or Vodafone mobile.
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
[EMAIL PROTECTED]                             http://www.purplecow.com/
---------------------------------------------------------------------------

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

```