[PHP-DB] md5() function
Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
MD5 is also known as an one-way crypt system; you can encryptit but never unencrypted; only using brute force or a hash list you can retrive a 'string' that it's hash is the one stored; but it is not necesary the same original string; this is also known as a hash collision. So, in short... no, there isn't a unMd5(). If you need to retrive the original string, try GPG. On 14/01/2008, Miguel Guirao [EMAIL PROTECTED] wrote: Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Atte, Andrés G. Montañez Técnico en Redes y Telecomunicaciones Montevideo - Uruguay -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
On Jan 14, 2008 2:26 PM, Miguel Guirao [EMAIL PROTECTED] wrote: Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Negative. Once it's hashed with an MD5, SHA1, or similar encryption method, it's (as of now) impossible to reverse. You could create a table with a column of unencrypted phrases, characters, and combinations, with a second column containing the correlating hashed string, but that's about it. -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
Steven Cruz wrote: Hello; I maybe wrong, but I believe it is one way. What you need to do is take your input and encrypt it and check if matches your current encrypted value. :) peace and hugs. Miguel Guirao wrote: Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao If you want to do a comparison on the md5() hash you just created you could always run your SQL query like: SELECT * FROM `table` WHERE `password` = md5( $password ) LIMIT 1; That will return a true or false value based on the md5() hash of the $password var. But you cannot reverse the md5 hash to obtain the original value unless you perform a crack on it using software available software. I think what you are looking for is the base64_encode() and base64_decode() functions which will perform a simple encoding of data. -- Jason Gerfen I practice my religion while stepping on your toes... ~The Ditty Bops -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
Hello; I maybe wrong, but I believe it is one way. What you need to do is take your input and encrypt it and check if matches your current encrypted value. :) peace and hugs. Miguel Guirao wrote: Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5() function
Thanks every body for your replies!! It is clear to me that I can not reverse a hased string!! Thanks!!! Guirao -Original Message- From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: Lunes, 14 de Enero de 2008 02:04 p.m. Cc: php-db@lists.php.net Subject: Re: [PHP-DB] md5() function Steven Cruz wrote: Hello; I maybe wrong, but I believe it is one way. What you need to do is take your input and encrypt it and check if matches your current encrypted value. :) peace and hugs. Miguel Guirao wrote: Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao If you want to do a comparison on the md5() hash you just created you could always run your SQL query like: SELECT * FROM `table` WHERE `password` = md5( $password ) LIMIT 1; That will return a true or false value based on the md5() hash of the $password var. But you cannot reverse the md5 hash to obtain the original value unless you perform a crack on it using software available software. I think what you are looking for is the base64_encode() and base64_decode() functions which will perform a simple encoding of data. -- Jason Gerfen I practice my religion while stepping on your toes... ~The Ditty Bops -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
On 4/18/06, Giff Hammar [EMAIL PROTECTED] wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. I badly worded my response, but yes you're right. Anyway I found the article I was thinking of: http://phpsec.org/articles/2005/password-hashing.html (which ironically suggests the opposite of what I said - use a random salt :P). -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5, MySQL, and salts
Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! -Sean
Re: [PHP-DB] MD5, MySQL, and salts
On 4/18/06, Sean Mumford [EMAIL PROTECTED] wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5, MySQL, and salts
For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford [EMAIL PROTECTED] wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
This begs the question of what would this method buy you over MD5? Some people have issue with like passwords looking the same with MD5 encryption, also a one way hash. But if you know the salt, then like passwords would also look the same, right? -B Giff Hammar wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford [EMAIL PROTECTED] wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql php tutorials http://www.designmagick.com/ -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
True in some form, it always comes down again to the strength and integrity of the original password. Yes, even if a salt is unknown and it is a plain text, dictionary password, then it doesn't take much for a brute force attempt at just using the first two characters of each word and salting it with the word to create the hash and seeing if it matches. But just knowing the two character salt doesn't overly help in decrypting the hash. Using a custom hash particularly using part of the key itself as the hash increases the integrity and uniqueness of the hash by an exponential factor. You have two values now that are affecting the hash output value. Something to chew on... -J B This begs the question of what would this method buy you over MD5? Some people have issue with like passwords looking the same with MD5 encryption, also a one way hash. But if you know the salt, then like passwords would also look the same, right? -B Giff Hammar wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford [EMAIL PROTECTED] wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql php tutorials http://www.designmagick.com/ -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.384 / Virus Database: 268.4.2/314 - Release Date: 16/04/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.384 / Virus Database: 268.4.2/314 - Release Date: 16/04/2006 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5, MySQL, and salts
you need the key to be easily available, so row id or a set date field(one that does not change as opposed to a timestamp type field) bastien From: Sean Mumford [EMAIL PROTECTED] To: php-db@lists.php.net Subject: [PHP-DB] MD5, MySQL, and salts Date: Mon, 17 Apr 2006 15:33:58 -0400 Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! -Sean -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] md5() and mysql
Hello,
I'm looking at using md5() and mysql for user auth to some of the data
in a table. I found the following on the php md5 manual page,
$query = INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'));
$password = md5($password);
$query = SELECT * FROM user WHERE username='DummyUser' AND
password='DummyPassword';
I see that nobody will be able to view the password once it's in the
database, but I'm thinking that the plain text password is sent to and
from the server and someone might be able to snoop the plain text
password. Is that right?
Thanks for the help,
Mike
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() and mysql
Mike Baerwolf wrote:
I'm looking at using md5() and mysql for user auth to some of the data
in a table. I found the following on the php md5 manual page,
$query = INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'));
$password = md5($password);
$query = SELECT * FROM user WHERE username='DummyUser' AND
password='DummyPassword';
password = '$password';
I see that nobody will be able to view the password once it's in the
database, but I'm thinking that the plain text password is sent to and
from the server and someone might be able to snoop the plain text
password. Is that right?
Yes. That's why you use SSL on your login pages.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] md5 question!
Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
no. we added to old 'password' question to one of the sites I did for this reason. When the client registered, they picked a question, ssn, mother's maiden name, dog's name, etc and entered an answer. That way if they lost their password, they could go to a 'lost password' area, enter their username, select and answer their question. they were then logged in and could change their password. of course Marco's suggestions is good also, that way you can confirm you are speaking to the actual user before you change their password. Eddie -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] md5 question! Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:08, JeRRy wrote:
I guess technically there MUST be a way to break the
barrier where you can reverse it. If there is a way
to make it there is always a way to break it, somehow.
But what I have heard and read it's very tight
and probably the best method to handle passwords for
now, until something new is released. Which will
happen when md5 is broken, like everything else after
a little bit of time.
Well, that's not necessarily true. Take something as simple as an
integer division. Say that in order calculate your hash you divide any
number by 3 and discard the remainder. The result '4' could mean that
your original number could be anywhere between 12 and 14, for example,
so that even if you know that method that was used to calculate the hash
you couldn't determine the original password from it. md5 works on a
similar basis, although a bit (but not that much) more complicated. So
you see, it's mathematically impossible to retrieve the original
password starting from the hash... which is a Good Thing(tm) :-)
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a free trial issue
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what the
passwords are.
You may want to reset the passwords upon your users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
This is waaay over my head, but if any of you are interested:
http://www.faqs.org/rfcs/rfc1321
I just read it and have come to the conclusion that MD5 is a small, British
sports car ;^)
Rich
-Original Message-
From: Marco Tabini [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:30 AM
To: JeRRy
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:08, JeRRy wrote:
I guess technically there MUST be a way to break the
barrier where you can reverse it. If there is a way
to make it there is always a way to break it, somehow.
But what I have heard and read it's very tight
and probably the best method to handle passwords for
now, until something new is released. Which will
happen when md5 is broken, like everything else after
a little bit of time.
Well, that's not necessarily true. Take something as simple as an
integer division. Say that in order calculate your hash you divide any
number by 3 and discard the remainder. The result '4' could mean that
your original number could be anywhere between 12 and 14, for example,
so that even if you know that method that was used to
calculate the hash
you couldn't determine the original password from it. md5 works on a
similar basis, although a bit (but not that much) more complicated. So
you see, it's mathematically impossible to retrieve the original
password starting from the hash... which is a Good Thing(tm) :-)
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a free trial issue
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what the
passwords are.
You may want to reset the passwords upon your users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or
Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi,
Hmmm okay... So if the passowrd was.
jerry
and the md5 output was
SKHDJHDJDHJDHSfdfs
and another user sets their passowrd to the same as
mine does that mean the md5 output would be identical
to the last as the same password is entered?
e.g.
User 1:
Username: Fred
Password: jerry
User 2:
Username: notfred
Password: jerry
Or is each entry unique ?
I'm thinking if each entry was unique than reversing
the md5 action could be inconclusive. But if the
output is the same if the same password is entered
than sure it's reliable. But I could be barking up
the wrong tree all together here, so correct me if I
am wrong. I have not used md5 before so learning on
that behalf.
Jerry
--- [EMAIL PROTECTED] wrote: Just use brute
force...
Example:
md5('password') will ALWAYS produce the same output!
So, if I intercept a pmd5 encrypted password that
looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf(Your password is: %s\n, password);
So, just start a loop going through all possible
combinations od legal password
character and encrypt with md5, then compare.
Hard? Not at all, Time consuming, perhaps, but with
3+ Ghz processors coming
out you'd be surprised how quickly one could loop
through billlions of possible
password combinations. Enter distributed
environments and it is much fatser.
The key is not to rely on passwords but to rely on
other system security
messures, use SSL, so it is hard to intercept in the
first place, make sure
your system is secure so these passwords cannot be
extracted from your DB
without you knowing about it, etc...
Marco,
Thanks, that's what I originally thought that it
was
one way. So websites that have the option to
retrieve
password don't use md5?
I guess technically there MUST be a way to break
the
barrier where you can reverse it. If there is a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's very
tight
and probably the best method to handle passwords
for
now, until something new is released. Which will
happen when md5 is broken, like everything else
after
a little bit of time.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what
the
passwords are.
You may want to reset the passwords upon your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
md5 returns a 32 char hexdec string. I'm not sure where you get an 11
char alpha string from md5...
Since the MD5 is 32 chars in length, with 36 possibilities for each char,
that leaves us with 36^32, or 63340286662973277706162286946811886609896461828096
or 63,340,286,662,973,276,904,018,768,749,012,366,609,829,142,200,320 after
using number_format. What is that? A little more than the billions of
possibilities you suggest would exist... Hmmm, that's 63 quindecillion, or
like 63 * 10^48. Ouch. I think even with 3+ Ghz processors you might have
to wait a few years. Months? Maybe distributed, but doubtful. Given that
it took 4 years to go through 15,769,938,165,961,326,592 keys (out of a
possible 18,446,744,073,709,551,616) to break 64
bit RSA encryption. Thats 18 * 10^18 total possible keys. That's a lot
less than 63 * 10^48 and it took 4 years and 331,000 computers.
http://www.pcw.co.uk/News/1135452
From the PHP manual:
http://php.net/md5
Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5
Message-Digest Algorithm, and returns that hash. The hash is a 32-character
hexadecimal number. If the optional raw_output is set to TRUE, then the md5
digest is instead returned in raw binary format with a length of 16.
Beckman
On Tue, 24 Jun 2003 [EMAIL PROTECTED] wrote:
Just use brute force...
Example:
md5('password') will ALWAYS produce the same output!
So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf(Your password is: %s\n, password);
So, just start a loop going through all possible combinations od legal password
character and encrypt with md5, then compare.
Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming
out you'd be surprised how quickly one could loop through billlions of possible
password combinations. Enter distributed environments and it is much fatser.
The key is not to rely on passwords but to rely on other system security
messures, use SSL, so it is hard to intercept in the first place, make sure
your system is secure so these passwords cannot be extracted from your DB
without you knowing about it, etc...
Marco,
Thanks, that's what I originally thought that it was
one way. So websites that have the option to retrieve
password don't use md5?
I guess technically there MUST be a way to break the
barrier where you can reverse it. If there is a way
to make it there is always a way to break it, somehow.
But what I have heard and read it's very tight
and probably the best method to handle passwords for
now, until something new is released. Which will
happen when md5 is broken, like everything else after
a little bit of time.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what the
passwords are.
You may want to reset the passwords upon your users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
Peter Beckman Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco,
Okay I just replied to another post asking if md5
outputs a different output if the same password was
entered by more than 1 user.
I think the answer to that is explained by you below.
If true, if more than 1 user had an identical password
to another the md5 output would be unique for each
user. So a different md5 output even though the same
password. Because if:
snip
it's mathematically impossible to retrieve
the original
password starting from the hash... which is a Good
Thing(tm) :-)
/snip
... is true than a different md5 output must be
outputed for each password even if it's the same as
another. Because if it was the same md5 output it
would than be possible to reverse the md5 back to
plain text? Well I woudl think so, because it's the
same.
I just recieved an email to my inbox saying there is a
way to reverse it. So I really have no idea what to
think, instead I'm going to give the examples I have
recieved a go and see what happens.
Thanks everyone for your help/feedback/ideas and code
on this subject, it's been overwhelming. Very much
appreciated.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: On Tue,
2003-06-24 at 09:08, JeRRy wrote:
I guess technically there MUST be a way to break
the
barrier where you can reverse it. If there is a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's very
tight
and probably the best method to handle passwords
for
now, until something new is released. Which will
happen when md5 is broken, like everything else
after
a little bit of time.
Well, that's not necessarily true. Take something as
simple as an
integer division. Say that in order calculate your
hash you divide any
number by 3 and discard the remainder. The result
'4' could mean that
your original number could be anywhere between 12
and 14, for example,
so that even if you know that method that was used
to calculate the hash
you couldn't determine the original password from
it. md5 works on a
similar basis, although a bit (but not that much)
more complicated. So
you see, it's mathematically impossible to retrieve
the original
password starting from the hash... which is a Good
Thing(tm) :-)
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a
free trial issue
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what
the
passwords are.
You may want to reset the passwords upon your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
They would be the same, they have to be. If you can de-crypt it, there has to
be some method of validation. So, if someone choose the same password as you
did, and you stored those in a DB as encrypted with md5, then they would look
identical. So, you would know the other person's password.
Hi,
Hmmm okay... So if the passowrd was.
jerry
and the md5 output was
SKHDJHDJDHJDHSfdfs
and another user sets their passowrd to the same as
mine does that mean the md5 output would be identical
to the last as the same password is entered?
e.g.
User 1:
Username: Fred
Password: jerry
User 2:
Username: notfred
Password: jerry
Or is each entry unique ?
I'm thinking if each entry was unique than reversing
the md5 action could be inconclusive. But if the
output is the same if the same password is entered
than sure it's reliable. But I could be barking up
the wrong tree all together here, so correct me if I
am wrong. I have not used md5 before so learning on
that behalf.
Jerry
--- [EMAIL PROTECTED] wrote: Just use brute
force...
Example:
md5('password') will ALWAYS produce the same output!
So, if I intercept a pmd5 encrypted password that
looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf(Your password is: %s\n, password);
So, just start a loop going through all possible
combinations od legal password
character and encrypt with md5, then compare.
Hard? Not at all, Time consuming, perhaps, but with
3+ Ghz processors coming
out you'd be surprised how quickly one could loop
through billlions of possible
password combinations. Enter distributed
environments and it is much fatser.
The key is not to rely on passwords but to rely on
other system security
messures, use SSL, so it is hard to intercept in the
first place, make sure
your system is secure so these passwords cannot be
extracted from your DB
without you knowing about it, etc...
Marco,
Thanks, that's what I originally thought that it
was
one way. So websites that have the option to
retrieve
password don't use md5?
I guess technically there MUST be a way to break
the
barrier where you can reverse it. If there is a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's very
tight
and probably the best method to handle passwords
for
now, until something new is released. Which will
happen when md5 is broken, like everything else
after
a little bit of time.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what
the
passwords are.
You may want to reset the passwords upon your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:36, JeRRy wrote: Hi, Hmmm okay... So if the passowrd was. [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi,
Aha... That's what I thought! :) So with md5 I can
retrieve the passwords back to the user if they lose
them via email. That's what I was seeking an answer
to. Thanks so much.
Jerry
--- [EMAIL PROTECTED] wrote: They would be
the same, they have to be. If you can
de-crypt it, there has to
be some method of validation. So, if someone choose
the same password as you
did, and you stored those in a DB as encrypted with
md5, then they would look
identical. So, you would know the other person's
password.
Hi,
Hmmm okay... So if the passowrd was.
jerry
and the md5 output was
SKHDJHDJDHJDHSfdfs
and another user sets their passowrd to the same
as
mine does that mean the md5 output would be
identical
to the last as the same password is entered?
e.g.
User 1:
Username: Fred
Password: jerry
User 2:
Username: notfred
Password: jerry
Or is each entry unique ?
I'm thinking if each entry was unique than
reversing
the md5 action could be inconclusive. But if the
output is the same if the same password is entered
than sure it's reliable. But I could be barking
up
the wrong tree all together here, so correct me if
I
am wrong. I have not used md5 before so learning
on
that behalf.
Jerry
--- [EMAIL PROTECTED] wrote: Just use
brute
force...
Example:
md5('password') will ALWAYS produce the same
output!
So, if I intercept a pmd5 encrypted password
that
looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf(Your password is: %s\n, password);
So, just start a loop going through all possible
combinations od legal password
character and encrypt with md5, then compare.
Hard? Not at all, Time consuming, perhaps, but
with
3+ Ghz processors coming
out you'd be surprised how quickly one could
loop
through billlions of possible
password combinations. Enter distributed
environments and it is much fatser.
The key is not to rely on passwords but to rely
on
other system security
messures, use SSL, so it is hard to intercept in
the
first place, make sure
your system is secure so these passwords cannot
be
extracted from your DB
without you knowing about it, etc...
Marco,
Thanks, that's what I originally thought that
it
was
one way. So websites that have the option to
retrieve
password don't use md5?
I guess technically there MUST be a way to
break
the
barrier where you can reverse it. If there is
a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's
very
tight
and probably the best method to handle
passwords
for
now, until something new is released. Which
will
happen when md5 is broken, like everything
else
after
a little bit of time.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote:
Hi
Jerry--
No, md5 is a one-way hash. That's why it's
so
safe--because if someone
steals the information he still can't tell
what
the
passwords are.
You may want to reset the passwords upon
your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com
and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if
someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on
your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List
(http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
PHP Database Mailing List
(http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:45, JeRRy wrote: If true, if more than 1 user had an identical password to another the md5 output would be unique for each user. So a different md5 output even though the same password. Because if: snip it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) /snip ... is true than a different md5 output must be outputed for each password even if it's the same as another. Because if it was the same md5 output it would than be possible to reverse the md5 back to plain text? Well I woudl think so, because it's the same. No, these are two unrelated concepts, in fact they contradict each other. If two passwords *can* have the same hash (which is well possible), then you can't tell the password from the hash. I just recieved an email to my inbox saying there is a way to reverse it. So I really have no idea what to think, instead I'm going to give the examples I have recieved a go and see what happens. Well, I haven't heard of md5 being broken, although it's been claimed that it is breakable. I'd love to see the references they have sent you! Cheers, Marco Thanks everyone for your help/feedback/ideas and code on this subject, it's been overwhelming. Very much appreciated. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: On Tue, 2003-06-24 at 09:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
md5() will always return the same for the same string, how else can you
verify that the user entered their password?
everytime they log in, you have to encrypt what they typed in
$pword=md5($pword);
select * from users where uname='$uname' and pword='$pword'
and see if it matches the password they registered with, if md5() gave you
different output, then you could never verify thier password.
Eddie
-Original Message-
From: JeRRy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:45 AM
To: Marco Tabini
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] md5 question!
Marco,
Okay I just replied to another post asking if md5
outputs a different output if the same password was
entered by more than 1 user.
I think the answer to that is explained by you below.
If true, if more than 1 user had an identical password
to another the md5 output would be unique for each
user. So a different md5 output even though the same
password. Because if:
snip
it's mathematically impossible to retrieve
the original
password starting from the hash... which is a Good
Thing(tm) :-)
/snip
... is true than a different md5 output must be
outputed for each password even if it's the same as
another. Because if it was the same md5 output it
would than be possible to reverse the md5 back to
plain text? Well I woudl think so, because it's the
same.
I just recieved an email to my inbox saying there is a
way to reverse it. So I really have no idea what to
think, instead I'm going to give the examples I have
recieved a go and see what happens.
Thanks everyone for your help/feedback/ideas and code
on this subject, it's been overwhelming. Very much
appreciated.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: On Tue,
2003-06-24 at 09:08, JeRRy wrote:
I guess technically there MUST be a way to break
the
barrier where you can reverse it. If there is a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's very
tight
and probably the best method to handle passwords
for
now, until something new is released. Which will
happen when md5 is broken, like everything else
after
a little bit of time.
Well, that's not necessarily true. Take something as
simple as an
integer division. Say that in order calculate your
hash you divide any
number by 3 and discard the remainder. The result
'4' could mean that
your original number could be anywhere between 12
and 14, for example,
so that even if you know that method that was used
to calculate the hash
you couldn't determine the original password from
it. md5 works on a
similar basis, although a bit (but not that much)
more complicated. So
you see, it's mathematically impossible to retrieve
the original
password starting from the hash... which is a Good
Thing(tm) :-)
Marco
--
php|architect -- The Magazine for PHP Professionals
Come try us out at http://www.phparch.com and get a
free trial issue
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what
the
passwords are.
You may want to reset the passwords upon your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Aha... Thanks. I guess there is no need to add a salt if I'm the only admin using the database interface. But I guess if you want to be more secure etc it would be best to add it so if someone grabbed the database they will find no matches. I really have to look into making my databases more secure than they already are. Any good websites that is good reading for this? I mean reliable sites with no bull ***rubbish*** which does not send on the wrong messages. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: On Tue, 2003-06-24 at 09:36, JeRRy wrote: Hi, Hmmm okay... So if the passowrd was. [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
-Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:50 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! So with md5 I can retrieve the passwords back to the user if they lose them via email. No, you can't. You'll need to generate a new password, md5 it, store it mark it expired, timestamp it so it's only valid for, say, 30 minutes, email it, and finally, force the person to choose a new password when they sign in. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
I already admitted that this stuff was mostly over my head. However, I
started messing around with it a bit and would like to know if the crypt()
function would help Jerry out?
I tried md5('password') twice in a row and it did return:
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
Then I tried crypt('password') in a 10-step loop and got this:
8m7UxPXfRw7/2
v9iuCQikPaf7w
MwV8vcCiqrRbM
lpf02L./2VtiU
KRkddkPGedm2.
LDMEpQwJgY.Mo
2HW51zTN93I9Y
hyONnFjRN/9bM
W9NKVzVgJ9kLM
nNany7wy2drdQ
The code for all of the above if anybody is interested:
?php
echo md5('password')./br;
echo md5('password')./br/br;
echo CRYPT with password/br;
for($i=0;$i10;$i++){
echo crypt('password')./br;
}
}
?
PHP.NET states that there is no decrypt function since crypt() is a one-way
encryption. And given that, by default, it uses a random salt generated by
PHP, why is this not as secure as an MD5 encrypted password? Of course, all
of this is based on the supposition that the database is properly secured.
I am, by no means, arguing with any of the advice already offered regarding
the MD5 question. However, If what you're looking for is a different
encryption result for the same password, crypt() seems to do it.
Can somebody explain if this is less secure or less-preferable than MD5?
Even if one were able to decipher the algorithm PHP uses for a crypt()
operation, the salt is supposedly random so having the encryption algorithm
would not be all that useful.
Am I totally missing something here?
Rich
-Original Message-
From: Matt Schroebel [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:52 AM
To: JeRRy
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP-DB] md5 question!
-Original Message-
From: JeRRy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:50 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] md5 question!
So with md5 I can
retrieve the passwords back to the user if they lose
them via email.
No, you can't. You'll need to generate a new password, md5
it, store it
mark it expired, timestamp it so it's only valid for, say,
30 minutes,
email it, and finally, force the person to choose a new password when
they sign in.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
Sure, but only the first eight characters of the password are actually
used to make the hash (IIRC).
Marco
On Tue, 2003-06-24 at 10:15, Hutchins, Richard wrote:
I already admitted that this stuff was mostly over my head. However, I
started messing around with it a bit and would like to know if the crypt()
function would help Jerry out?
I tried md5('password') twice in a row and it did return:
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
Then I tried crypt('password') in a 10-step loop and got this:
8m7UxPXfRw7/2
v9iuCQikPaf7w
MwV8vcCiqrRbM
lpf02L./2VtiU
KRkddkPGedm2.
LDMEpQwJgY.Mo
2HW51zTN93I9Y
hyONnFjRN/9bM
W9NKVzVgJ9kLM
nNany7wy2drdQ
The code for all of the above if anybody is interested:
?php
echo md5('password')./br;
echo md5('password')./br/br;
echo CRYPT with password/br;
for($i=0;$i10;$i++){
echo crypt('password')./br;
}
}
?
PHP.NET states that there is no decrypt function since crypt() is a one-way
encryption. And given that, by default, it uses a random salt generated by
PHP, why is this not as secure as an MD5 encrypted password? Of course, all
of this is based on the supposition that the database is properly secured.
I am, by no means, arguing with any of the advice already offered regarding
the MD5 question. However, If what you're looking for is a different
encryption result for the same password, crypt() seems to do it.
Can somebody explain if this is less secure or less-preferable than MD5?
Even if one were able to decipher the algorithm PHP uses for a crypt()
operation, the salt is supposedly random so having the encryption algorithm
would not be all that useful.
Am I totally missing something here?
Rich
-Original Message-
From: Matt Schroebel [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:52 AM
To: JeRRy
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP-DB] md5 question!
-Original Message-
From: JeRRy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:50 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] md5 question!
So with md5 I can
retrieve the passwords back to the user if they lose
them via email.
No, you can't. You'll need to generate a new password, md5
it, store it
mark it expired, timestamp it so it's only valid for, say,
30 minutes,
email it, and finally, force the person to choose a new password when
they sign in.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
YOU CAN NOT RECOVER THE ORIGINAL TEXT FROM AN MD5 HASH (unless you have a
couple hundred years and nothing to do and want to try all 63*10^48
possibilities).
You can look to see if jerry and bob have the same MD5 hash as their
password, but unless your store their password in plaintext as well as an
md5 hash and you only store the md5 hash, you CANNOT send an email with the
original password. MD5 is one-way encryption.
On Tue, 24 Jun 2003, [iso-8859-1] JeRRy wrote:
Hi,
Aha... That's what I thought! :) So with md5 I can
retrieve the passwords back to the user if they lose
them via email. That's what I was seeking an answer
to. Thanks so much.
Jerry
--- [EMAIL PROTECTED] wrote: They would be
the same, they have to be. If you can
de-crypt it, there has to
be some method of validation. So, if someone choose
the same password as you
did, and you stored those in a DB as encrypted with
md5, then they would look
identical. So, you would know the other person's
password.
Hi,
Hmmm okay... So if the passowrd was.
jerry
and the md5 output was
SKHDJHDJDHJDHSfdfs
and another user sets their passowrd to the same
as
mine does that mean the md5 output would be
identical
to the last as the same password is entered?
e.g.
User 1:
Username: Fred
Password: jerry
User 2:
Username: notfred
Password: jerry
Or is each entry unique ?
I'm thinking if each entry was unique than
reversing
the md5 action could be inconclusive. But if the
output is the same if the same password is entered
than sure it's reliable. But I could be barking
up
the wrong tree all together here, so correct me if
I
am wrong. I have not used md5 before so learning
on
that behalf.
Jerry
--- [EMAIL PROTECTED] wrote: Just use
brute
force...
Example:
md5('password') will ALWAYS produce the same
output!
So, if I intercept a pmd5 encrypted password
that
looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf(Your password is: %s\n, password);
So, just start a loop going through all possible
combinations od legal password
character and encrypt with md5, then compare.
Hard? Not at all, Time consuming, perhaps, but
with
3+ Ghz processors coming
out you'd be surprised how quickly one could
loop
through billlions of possible
password combinations. Enter distributed
environments and it is much fatser.
The key is not to rely on passwords but to rely
on
other system security
messures, use SSL, so it is hard to intercept in
the
first place, make sure
your system is secure so these passwords cannot
be
extracted from your DB
without you knowing about it, etc...
Marco,
Thanks, that's what I originally thought that
it
was
one way. So websites that have the option to
retrieve
password don't use md5?
I guess technically there MUST be a way to
break
the
barrier where you can reverse it. If there is
a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's
very
tight
and probably the best method to handle
passwords
for
now, until something new is released. Which
will
happen when md5 is broken, like everything
else
after
a little bit of time.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote:
Hi
Jerry--
No, md5 is a one-way hash. That's why it's
so
safe--because if someone
steals the information he still can't tell
what
the
passwords are.
You may want to reset the passwords upon
your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com
and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if
someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on
your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List
(http://www.php.net/)
To unsubscribe, visit:
http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Most sites save/allow an 8 character password. Allowing alphanumerics and underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481 or about 5 trillion possible passwords. If you allow more than 8 characters, that number increases. On Tue, 24 Jun 2003, Marco Tabini wrote: On Tue, 2003-06-24 at 09:36, JeRRy wrote: Hi, Hmmm okay... So if the passowrd was. [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
md5 is also a one-way encryption. crypt also provides 300*10^21 possible
values, whereas md5 provides a possible 63*10^48, or
63000 * 10^21 possible values. A little bit better
security I'd say. Crypt is fine, md5 is better (a lot better by the
numbers).
The salt doesn't matter -- it is part of the password.
The first iteration, the salt is 8m. The next one is v9. The first two
chars are the salt used, so the salt really doesn't make things more
secure. If you are storing the crypt value, you have to first select the
value from your DB, get the first two chars (8m for this example) and do
crypt($form['password'], 8m)
in order to get 8m7UxPXfRw7/2 from crypt.
With md5 you just say md5($form['password']) and send it to your select
statement and see what happens.
To answer your question, md5 is easier and more secure; however, your
system is only as secure as your password, and if your password is
password (one of the most popular passwords in the world) md5 nor crypt
nor the best encryption will help you.
Peter
On Tue, 24 Jun 2003, Hutchins, Richard wrote:
I already admitted that this stuff was mostly over my head. However, I
started messing around with it a bit and would like to know if the crypt()
function would help Jerry out?
I tried md5('password') twice in a row and it did return:
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
Then I tried crypt('password') in a 10-step loop and got this:
8m7UxPXfRw7/2
v9iuCQikPaf7w
MwV8vcCiqrRbM
lpf02L./2VtiU
KRkddkPGedm2.
LDMEpQwJgY.Mo
2HW51zTN93I9Y
hyONnFjRN/9bM
W9NKVzVgJ9kLM
nNany7wy2drdQ
The code for all of the above if anybody is interested:
?php
echo md5('password')./br;
echo md5('password')./br/br;
echo CRYPT with password/br;
for($i=0;$i10;$i++){
echo crypt('password')./br;
}
}
?
PHP.NET states that there is no decrypt function since crypt() is a one-way
encryption. And given that, by default, it uses a random salt generated by
PHP, why is this not as secure as an MD5 encrypted password? Of course, all
of this is based on the supposition that the database is properly secured.
I am, by no means, arguing with any of the advice already offered regarding
the MD5 question. However, If what you're looking for is a different
encryption result for the same password, crypt() seems to do it.
Can somebody explain if this is less secure or less-preferable than MD5?
Even if one were able to decipher the algorithm PHP uses for a crypt()
operation, the salt is supposedly random so having the encryption algorithm
would not be all that useful.
Am I totally missing something here?
Rich
-Original Message-
From: Matt Schroebel [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:52 AM
To: JeRRy
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP-DB] md5 question!
-Original Message-
From: JeRRy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:50 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] md5 question!
So with md5 I can
retrieve the passwords back to the user if they lose
them via email.
No, you can't. You'll need to generate a new password, md5
it, store it
mark it expired, timestamp it so it's only valid for, say,
30 minutes,
email it, and finally, force the person to choose a new password when
they sign in.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
Peter Beckman Internet Guy
[EMAIL PROTECTED] http://www.purplecow.com/
---
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question! [CORRECTED]
My mistake -- I'm wrong here. Through a few emails I learned that it is a 32 character hex value that is returned, not a 32 char alphanumeric. That reduces my estimate of 63*10^48 to 340*10^36, still more than crypt though. My bad, sorry to all who believed me without question! Beckman On Tue, 24 Jun 2003, Peter Beckman wrote: md5 is also a one-way encryption. crypt also provides 300*10^21 possible values, whereas md5 provides a possible 63*10^48, or 63000 * 10^21 possible values. A little bit better security I'd say. Crypt is fine, md5 is better (a lot better by the numbers). The salt doesn't matter -- it is part of the password. The first iteration, the salt is 8m. The next one is v9. The first two chars are the salt used, so the salt really doesn't make things more secure. If you are storing the crypt value, you have to first select the value from your DB, get the first two chars (8m for this example) and do crypt($form['password'], 8m) in order to get 8m7UxPXfRw7/2 from crypt. With md5 you just say md5($form['password']) and send it to your select statement and see what happens. To answer your question, md5 is easier and more secure; however, your system is only as secure as your password, and if your password is password (one of the most popular passwords in the world) md5 nor crypt nor the best encryption will help you. Peter --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
It's all dependent on the seed the first two characters of the hash
You take a password, say apass and pass it through md5
Say you get :
dFeRDfss3456fdddsas/..
When the user types in their password, this is what happens
The string above is retrieved, and the password entered, apass is run
through md5 WITH THE KNOWN SEED, dF
The output of md5 will be
dFeRDfss3456fdddsas/..
and it is compared to what is stored. If they match, hunky-dory, the auth is
granted
Upon creating an md5 hash, the seed is randomly generated, so that two users
with the same password may have completely different hash strings.
Gary Every
Sr. UNIX Administrator
Ingram Entertainment
(615) 287-4876
Pay It Forward
mailto:[EMAIL PROTECTED]
http://accessingram.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 4:47 AM
To: JeRRy; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] md5 question!
They would be the same, they have to be. If you can de-crypt
it, there has to
be some method of validation. So, if someone choose the same
password as you
did, and you stored those in a DB as encrypted with md5, then
they would look
identical. So, you would know the other person's password.
Hi,
Hmmm okay... So if the passowrd was.
jerry
and the md5 output was
SKHDJHDJDHJDHSfdfs
and another user sets their passowrd to the same as
mine does that mean the md5 output would be identical
to the last as the same password is entered?
e.g.
User 1:
Username: Fred
Password: jerry
User 2:
Username: notfred
Password: jerry
Or is each entry unique ?
I'm thinking if each entry was unique than reversing
the md5 action could be inconclusive. But if the
output is the same if the same password is entered
than sure it's reliable. But I could be barking up
the wrong tree all together here, so correct me if I
am wrong. I have not used md5 before so learning on
that behalf.
Jerry
--- [EMAIL PROTECTED] wrote: Just use brute
force...
Example:
md5('password') will ALWAYS produce the same output!
So, if I intercept a pmd5 encrypted password that
looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf(Your password is: %s\n, password);
So, just start a loop going through all possible
combinations od legal password
character and encrypt with md5, then compare.
Hard? Not at all, Time consuming, perhaps, but with
3+ Ghz processors coming
out you'd be surprised how quickly one could loop
through billlions of possible
password combinations. Enter distributed
environments and it is much fatser.
The key is not to rely on passwords but to rely on
other system security
messures, use SSL, so it is hard to intercept in the
first place, make sure
your system is secure so these passwords cannot be
extracted from your DB
without you knowing about it, etc...
Marco,
Thanks, that's what I originally thought that it
was
one way. So websites that have the option to
retrieve
password don't use md5?
I guess technically there MUST be a way to break
the
barrier where you can reverse it. If there is a
way
to make it there is always a way to break it,
somehow.
But what I have heard and read it's very
tight
and probably the best method to handle passwords
for
now, until something new is released. Which will
happen when md5 is broken, like everything else
after
a little bit of time.
Jerry
--- Marco Tabini [EMAIL PROTECTED] wrote: Hi
Jerry--
No, md5 is a one-way hash. That's why it's so
safe--because if someone
steals the information he still can't tell what
the
passwords are.
You may want to reset the passwords upon your
users'
request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magazine for PHP
Professionals
Come try us out at http://www.phparch.com and
get a
free trial issue
On Tue, 2003-06-24 at 08:35, JeRRy wrote:
Hi,
If I use md5 to handle passwords to my
database is
there a way to reverse the action if someone
forgets
their password? Is there a way for me to
decode
the
32bit to plain text?
Jerry
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check compose your email via SMS on your
Telstra or Vodafone mobile.
--
Marco Tabini
President
Marco Tabini Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http
Re: [PHP-DB] md5 question!
On Tuesday 24 June 2003 21:08, JeRRy wrote:
I guess technically there MUST be a way to break the
barrier where you can reverse it. If there is a way
to make it there is always a way to break it, somehow.
Consider that whatever sized input you give it, after it's been md5'ed, you'll
get a 32 char hex string. Now how can a 32 byte string be converted back into
a multi-gigabyte file (or whatever)? It is technically possible to create two
different inputs which results in the same hash but the chances of that is
very remote and hence why md5 is pretty secure.
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5 hash problem
Hello list,
I am having a problem with MD5().
Every time I try to use this function it seems to work, but I get the
same results. Below is what I am trying to do.
$pass = MD5('$password');
For every password that I store in the database I have found it is the
same string of characters no matter what the original $password is.
$pass always = 243e61e9410a9f577d2d662c67025ee9
In other words, it looks like the MD5 function is working but not
correctly because it is calculating the hash, but is finding the same
hash for every string. Any help would be greatly appreciated.
I am new to the whole list process so if I do or say something wrong
please do not hate me.
Thanks,
Mike
Mike Calvelage
Webmaster / Sales Associate
Viper Systems
vipersystems.biz
[EMAIL PROTECTED]
419-224-8344
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5 hash problem
For every password that I store in the database I have found it is the
same string of characters no matter what the original $password is.
That is because you have single quotes around your variable so it is not
being expanded, so everytime it is the MD5 of the same thing, the string
$password.
$pass = MD5('$password');
Change it to MD5($password); or MD5($password);
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5 Update
Please, help me with this: $preencher = mysql_query(SELECT * FROM alemao); $update = mysql_query(UPDATE alemao SET codigo = md5(concat(nome,email))); mysql_close ($db); whats wrong with my code? when I tell him to ? if ($update) echo Insert MD5; else echo No; ? he returns Insert MD5, but nothing happens in the db... whats wrong? Thank you in advance, Dani -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5 Update
$preencher = mysql_query(SELECT * FROM alemao); $update = mysql_query(UPDATE alemao SET codigo = md5(concat(nome,email))); mysql_close ($db); whats wrong with my code? when I tell him to ? if ($update) echo Insert MD5; else echo No; ? he returns Insert MD5, but nothing happens in the db... whats wrong? You're query is fine (assuming column names are correct), something has to happen. What do you expect to happen? Your UPDATE query is going to update every row in the table... ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5()
Hi there everyone, I have to store some CC details in a database which are inputted from a form, is MD5() the best way to secure the data? If so, how do I view MD5() data after it has been inserted? Any good MD5() tutorials out there? Thanks for your help :-) Regards Chris
Re: [PHP-DB] MD5()
md5() is a one-way encryption algorithm. So once they are encrypted, you cannot decrypt them. Just look at the md5() function on the php website. It has what you need to do. Of course if you eventually need these back in the clear, then md5 would not be a solution. -Brad Chris Payne wrote: Hi there everyone, I have to store some CC details in a database which are inputted from a form, is MD5() the best way to secure the data? If so, how do I view MD5() data after it has been inserted? Any good MD5() tutorials out there? Thanks for your help :-) Regards Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5()
I have to store some CC details in a database which are inputted from a form, is MD5() the best way to secure the data? If so, how do I view MD5() data after it has been inserted? Any good MD5() tutorials out there? Please do your users a favor and do not store credit card numbers on your system. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5 (' ')
I had a similar problem. I think it has to do with the character encoding
of the output hash.
My only resort (very ugly!!) was to have a perl script wich calculated the
hash. The perl script looks like:
#!/usr/bin/perl
use Digest::MD5 qw(md5_base64);
print md5_base64($ARGV[0]);
Maybe your problem is similar. The perl MD5 modules seems to have more
encoding options than the php one. Have a look it might give you a clue as
to where the problem is.
Andre
At 18:10 29/08/2001 +0300, Andrey Hristov wrote:
I'm not so sure, but there is another parameter to md5() - the salt.
Andrey Hristov
IcyGEN Corporation
http://www.icygen.com
99%
- Original Message -
From: Ignat Ikryanov [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 29, 2001 4:45 PM
Subject: [PHP-DB] MD5 (' ')
Hi!
I use md5 function to encrypt users password stored in MySql database.
When I try encrypt string 'asdf' using md5 function I
retrieve:
912ec803b2ce49e4a541068d495ab570
But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users
password) 'asdf' string looks like:
$1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1
Why results are different?
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] MD5 (' ')
MD5 doesn't use a salt.
http://www.faqs.org/rfcs/rfc1321.html
Sheridan Saint-Michel
Website Administrator
FoxJet, an ITW Company
www.foxjet.com
- Original Message -
From: Andrey Hristov [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 29, 2001 10:10 AM
Subject: Re: [PHP-DB] MD5 (' ')
I'm not so sure, but there is another parameter to md5() - the salt.
Andrey Hristov
IcyGEN Corporation
http://www.icygen.com
99%
- Original Message -
From: Ignat Ikryanov [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 29, 2001 4:45 PM
Subject: [PHP-DB] MD5 (' ')
Hi!
I use md5 function to encrypt users password stored in MySql database.
When I try encrypt string 'asdf' using md5 function I
retrieve:
912ec803b2ce49e4a541068d495ab570
But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users
password) 'asdf' string looks like:
$1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1
Why results are different?
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] MD5 (' ')
- Original Message -
From: Ignat Ikryanov [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 29, 2001 4:45 PM
Subject: [PHP-DB] MD5 (' ')
Hi!
I use md5 function to encrypt users password stored in MySql database.
When I try encrypt string 'asdf' using md5 function I
retrieve:
912ec803b2ce49e4a541068d495ab570
But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users
password) 'asdf' string looks like:
$1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1
Why results are different?
Unix Shadow passwords are actually computed using an alogrithm, md5 is part
of that algorithm but not the entire thing. You can immediately tell that
$1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1
is not an md5 hash because all md5 hashes are 32 characters and this is 35.
Shadow passwords computed with this algorithm are start $1 and then have a 8
character salt surrounded by $'s. The last part of the hash is 22
characters which
are computed by the algorithm. So in the above string $1$ indicates that it
is a shadow
password, and arjq575D is the salt followed by $. I looked around on google
for a bit, but
could not find the specifc algoritm Debian uses to compute the last 22
characters. I'll let
you know if I find it. You might also want to try this script:
http://limonez.net/~jure/php/md5crypt.phps
I noticed it in the user notes for md5. It says it makes FreeBSD style
shadow passwords
though, and I am not sure if FreeBSD uses the same algorithm as Debian or
not.
(I also have not actually verified that the above script does ANYTHING =P )
Good luck. I'll let you know if I find anything specific on Debian.
Sheridan Saint-Michel
Website Administrator
FoxJet, an ITW Company
www.foxjet.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] md5
I know there is an issue about encrypting an already encrypted
string, or encrypting something twice. I believe it is against the law in
the US for some algorithms (like MD5). They [they] have to be able to crack
your stuff.
Maybe someone can confirm?
How does this relate to your problem? Well maybe md5 thinks your
string has already been encrypted.
Mike
-Original Message-
From: bryan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 27, 2001 4:48 PM
To: Joe Brown; db
Subject: Re: [PHP-DB] md5
Yeah, i am aware of the 32 byte character string. As a matter of fact, I
md5 the password on initial
sign-up. Then just compare it to the regular password. As for this case, I
am trying to
update the password that is already md5 'd in the database. The problem is,
I am creating a
random string (with letters and numbers) and making it 10 characters long.
I think md5
has a problem with this, for some reason
Probably just me though. Thanks for the advice.
bryan
- Original Message -
From: "Joe Brown" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 27, 2001 12:40 PM
Subject: Re: [PHP-DB] md5
You are aware that md5() generates a 32 byte character string?
Working on the 10 digit password request, have you alotted enough space in
your database columns to cater to a 32 byte string (64 for multibyte)?
BTW: md5 has eaten everything I've thrown at it ;-)
""bryan"" [EMAIL PROTECTED] wrote in message
005801c0a0f1$c5c3cd40$272478cc@bryan">news:005801c0a0f1$c5c3cd40$272478cc@bryan...
I need some advice on this
I am creating a random password through a function.
This creates a random password and updates it in the database.
The sql query works if I make it :
$sql = "UPDATE members SET password='$password', verify='$verify' WHERE
username='$username' ";
but if I make the code (as below) with the md5, it does not.
I must be doing something wrong, or it does not like to md5 random things
or something. Any Advice?
for ( $a=0; $a1; $a++) {
$password = newpwd( 10 );
$verify = $password;
$dbcnx = mysql_connect('localhost', 'bryan', 'fitch');
mysql_select_db( "playtime" );
$sql = "UPDATE members SET password=' ".md5($password)." ', verify='
".md5($verify)" ' WHERE username='$username' ";
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] md5
You are aware that md5() generates a 32 byte character string?
Working on the 10 digit password request, have you alotted enough space in
your database columns to cater to a 32 byte string (64 for multibyte)?
BTW: md5 has eaten everything I've thrown at it ;-)
""bryan"" [EMAIL PROTECTED] wrote in message
005801c0a0f1$c5c3cd40$272478cc@bryan">news:005801c0a0f1$c5c3cd40$272478cc@bryan...
I need some advice on this
I am creating a random password through a function.
This creates a random password and updates it in the database.
The sql query works if I make it :
$sql = "UPDATE members SET password='$password', verify='$verify' WHERE
username='$username' ";
but if I make the code (as below) with the md5, it does not.
I must be doing something wrong, or it does not like to md5 random things
or something. Any Advice?
for ( $a=0; $a1; $a++) {
$password = newpwd( 10 );
$verify = $password;
$dbcnx = mysql_connect('localhost', 'bryan', 'fitch');
mysql_select_db( "playtime" );
$sql = "UPDATE members SET password=' ".md5($password)." ', verify='
".md5($verify)" ' WHERE username='$username' ";
Thanks
bryan
Bryan Fitch
Programmer
Concept Factory
[EMAIL PROTECTED]
http://www.concept-factory.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] md5
Yeah, i am aware of the 32 byte character string. As a matter of fact, I
md5 the password on initial
sign-up. Then just compare it to the regular password. As for this case, I
am trying to
update the password that is already md5 'd in the database. The problem is,
I am creating a
random string (with letters and numbers) and making it 10 characters long.
I think md5
has a problem with this, for some reason
Probably just me though. Thanks for the advice.
bryan
- Original Message -
From: "Joe Brown" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 27, 2001 12:40 PM
Subject: Re: [PHP-DB] md5
You are aware that md5() generates a 32 byte character string?
Working on the 10 digit password request, have you alotted enough space in
your database columns to cater to a 32 byte string (64 for multibyte)?
BTW: md5 has eaten everything I've thrown at it ;-)
""bryan"" [EMAIL PROTECTED] wrote in message
005801c0a0f1$c5c3cd40$272478cc@bryan">news:005801c0a0f1$c5c3cd40$272478cc@bryan...
I need some advice on this
I am creating a random password through a function.
This creates a random password and updates it in the database.
The sql query works if I make it :
$sql = "UPDATE members SET password='$password', verify='$verify' WHERE
username='$username' ";
but if I make the code (as below) with the md5, it does not.
I must be doing something wrong, or it does not like to md5 random things
or something. Any Advice?
for ( $a=0; $a1; $a++) {
$password = newpwd( 10 );
$verify = $password;
$dbcnx = mysql_connect('localhost', 'bryan', 'fitch');
mysql_select_db( "playtime" );
$sql = "UPDATE members SET password=' ".md5($password)." ', verify='
".md5($verify)" ' WHERE username='$username' ";
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
