On Tuesday 24 June 2003 22:36, Peter Beckman wrote:
> Most sites save/allow an 8 character password. Allowing alphanumerics and
> underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481
> or about 5 trillion possible passwords. If you allow more than 8
> characters, that number
On Tuesday 24 June 2003 21:08, JeRRy wrote:
> I guess technically there MUST be a way to break the
> barrier where you can reverse it. If there is a way
> to make it there is always a way to break it, somehow.
>
Consider that whatever sized input you give it, after it's been md5'ed, you'
PROTECTED]
> Sent: Tuesday, June 24, 2003 4:47 AM
> To: JeRRy; [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] md5 question!
>
>
> They would be the same, they have to be. If you can de-crypt
> it, there has to
> be some method of validation. So, if someone choose the sam
My mistake -- I'm wrong here. Through a few emails I learned that it is a
32 character hex value that is returned, not a 32 char alphanumeric. That
reduces my estimate of 63*10^48 to 340*10^36, still more than crypt though.
My bad, sorry to all who believed me without question!
Beckman
On Tue,
do it.
>
> Can somebody explain if this is less secure or less-preferable than MD5?
> Even if one were able to decipher the algorithm PHP uses for a crypt()
> operation, the salt is supposedly random so having the encryption algorithm
> would not be all that useful.
>
> Am I totally
Most sites save/allow an 8 character password. Allowing alphanumerics and
underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481
or about 5 trillion possible passwords. If you allow more than 8
characters, that number increases.
On Tue, 24 Jun 2003, Marco Tabini wrote:
> On
YOU CAN NOT RECOVER THE ORIGINAL TEXT FROM AN MD5 HASH (unless you have a
couple hundred years and nothing to do and want to try all 63*10^48
possibilities).
You can look to see if jerry and bob have the same MD5 hash as their
password, but unless your store their password in plaintext as well as
ble to decipher the algorithm PHP uses for a crypt()
> operation, the salt is supposedly random so having the encryption algorithm
> would not be all that useful.
>
> Am I totally missing something here?
>
> Rich
>
> > -Original Message-
> > From: Ma
n algorithm
would not be all that useful.
Am I totally missing something here?
Rich
> -Original Message-
> From: Matt Schroebel [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 24, 2003 9:52 AM
> To: JeRRy
> Cc: [EMAIL PROTECTED]
> Subject: RE: [PHP-DB] md5 question!
>
>
> -Original Message-
> From: JeRRy [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 24, 2003 9:50 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] md5 question!
>
> So with md5 I can
> retrieve the passwords back to the user if they los
Marco,
Aha... Thanks. I guess there is no need to add a salt
if I'm the only admin using the database interface.
But I guess if you want to be more secure etc it would
be best to add it so if someone grabbed the database
they will find no matches.
I really have to look into making my databases
matches the password they registered with, if md5() gave you
different output, then you could never verify thier password.
Eddie
-Original Message-
From: JeRRy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 9:45 AM
To: Marco Tabini
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] m
On Tue, 2003-06-24 at 09:45, JeRRy wrote:
> If true, if more than 1 user had an identical password
> to another the md5 output would be unique for each
> user. So a different md5 output even though the same
> password. Because if:
>
>
> it's mathematically impossible to retrieve
> > the origina
Hi,
Aha... That's what I thought! :) So with md5 I can
retrieve the passwords back to the user if they lose
them via email. That's what I was seeking an answer
to. Thanks so much.
Jerry
--- [EMAIL PROTECTED] wrote: > They would be
the same, they have to be. If you can
> de-crypt it, there h
On Tue, 2003-06-24 at 09:36, JeRRy wrote:
> Hi,
>
> Hmmm okay... So if the passowrd was.
>
[snip]
There are ways to avoid this. Typically, you can add a random token (or
a salt) to the password before you calculate its checksum. This way, two
users with the same password will have two different
They would be the same, they have to be. If you can de-crypt it, there has to
be some method of validation. So, if someone choose the same password as you
did, and you stored those in a DB as encrypted with md5, then they would look
identical. So, you would know the other person's password.
Marco,
Okay I just replied to another post asking if md5
outputs a different output if the same password was
entered by more than 1 user.
I think the answer to that is explained by you below.
If true, if more than 1 user had an identical password
to another the md5 output would be unique for e
md5 returns a 32 char hexdec string. I'm not sure where you get an 11
char alpha string from md5...
Since the MD5 is 32 chars in length, with 36 possibilities for each char,
that leaves us with 36^32, or 63340286662973277706162286946811886609896461828096
or 63,340,286,662,973,276,904,018,768,749,
Hi,
Hmmm okay... So if the passowrd was.
jerry
and the md5 output was
SKHDJHDJDHJDHSfdfs
and another user sets their passowrd to the same as
mine does that mean the md5 output would be identical
to the last as the same password is entered?
e.g.
User 1:
Username: Fred
Password: jerry
User 2:
, June 24, 2003 9:30 AM
> To: JeRRy
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] md5 question!
>
>
> On Tue, 2003-06-24 at 09:08, JeRRy wrote:
> > I guess technically there MUST be a way to break the
> > barrier where you can reverse it. If there is a way
> >
On Tue, 2003-06-24 at 09:08, JeRRy wrote:
> I guess technically there MUST be a way to break the
> barrier where you can reverse it. If there is a way
> to make it there is always a way to break it, somehow.
> But what I have heard and read it's very tight
> and probably the best method to
Speaking of MD5 hashes, I had the idea and the wherewithal to build a site
that had a huge pile of passwords and their various matching MD5 hashes,
crypts using all 26^2 salts, etc. People could submit passwords (or
request that passwords be removed); I'd initially populate it with
passwords built
Just use brute force...
Example:
md5('password') will ALWAYS produce the same output!
So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB
then I could just say:
if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
printf("Your password is: %s\n", password);
So, just start a loop
Marco,
Thanks, that's what I originally thought that it was
one way. So websites that have the option to retrieve
password don't use md5?
I guess technically there MUST be a way to break the
barrier where you can reverse it. If there is a way
to make it there is always a way to break it, someho
no. we added to old 'password' question to one of the sites I did for this
reason. When the client registered, they picked a question, ssn, mother's
maiden name, dog's name, etc and entered an answer. That way if they lost
their password, they could go to a 'lost password' area, enter their
usern
Hi Jerry--
No, md5 is a one-way hash. That's why it's so safe--because if someone
steals the information he still can't tell what the passwords are.
You may want to reset the passwords upon your users' request and send it
to them via e-mail instead.
Cheers,
Marco
--
php|architect -- The Magaz
26 matches
Mail list logo
