Re: [PHP] MD5 Passwords (How it works?)
On Tuesday 18 February 2003 01:03, Greg Donald wrote: > md5 is one-way encryption. I use a password 'hint' field in conjunction > with md5. It is not an encryption at all -- it's a hash. Encryption implies a corresponding decryption, so a one-way encryption is either useless or an oxymoron. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* The Angels want to wear my red shoes. -- E. Costello */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
Very true -- forgot to mention that step :) Thanks for the reminder!! Justin on 18/02/03 12:49 PM, Jason Sheets ([EMAIL PROTECTED]) wrote: > If you do a password reset system please remember not to reset the > password before they confirm who they are. > > This means instead of having them entering their login and email address > and immediatly resetting their password send the account owner an e-mail > with a link that will reset their password, if you have SSL make the > link go over SSL that way the traffic is secure. The link should > contain a unique id that was randomly generated and stored in the > database, when they click the link validate the account name, email > address and the unique id, if they match reset the password and remove > the unique id from the list of approved id's, this prevents someone from > replaying the URL and resetting the password again. > > Jason > > On Mon, 2003-02-17 at 17:48, Justin French wrote: >> on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: >> >>> I'm thinking that the MD5 function more than likely encrypts a password to >>> store into a database, and when you log in using the MD5 function it will >>> simply encrypt the value being passed along again the same way. Now I'm >>> wondering what happens when I user has lost there password and needs to >>> retrieve it, there is no way to reverse the process is there? >> >> No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character >> password will both have the same length md5 value). >> >> You would need to write a script which resets their password, and sends it >> to them via email. >> >> If they've fogotten what password they set, then they're obviously not too >> precious about it being the same password. Reset it to something random, >> send it to them via email (handy for confirming their email address is still >> valid), and let them login with that password, and change it to something >> else if they wish. >> >> Justin French >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
If you do a password reset system please remember not to reset the password before they confirm who they are. This means instead of having them entering their login and email address and immediatly resetting their password send the account owner an e-mail with a link that will reset their password, if you have SSL make the link go over SSL that way the traffic is secure. The link should contain a unique id that was randomly generated and stored in the database, when they click the link validate the account name, email address and the unique id, if they match reset the password and remove the unique id from the list of approved id's, this prevents someone from replaying the URL and resetting the password again. Jason On Mon, 2003-02-17 at 17:48, Justin French wrote: > on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: > > > I'm thinking that the MD5 function more than likely encrypts a password to > > store into a database, and when you log in using the MD5 function it will > > simply encrypt the value being passed along again the same way. Now I'm > > wondering what happens when I user has lost there password and needs to > > retrieve it, there is no way to reverse the process is there? > > No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character > password will both have the same length md5 value). > > You would need to write a script which resets their password, and sends it > to them via email. > > If they've fogotten what password they set, then they're obviously not too > precious about it being the same password. Reset it to something random, > send it to them via email (handy for confirming their email address is still > valid), and let them login with that password, and change it to something > else if they wish. > > Justin French > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: > I'm thinking that the MD5 function more than likely encrypts a password to > store into a database, and when you log in using the MD5 function it will > simply encrypt the value being passed along again the same way. Now I'm > wondering what happens when I user has lost there password and needs to > retrieve it, there is no way to reverse the process is there? No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character password will both have the same length md5 value). You would need to write a script which resets their password, and sends it to them via email. If they've fogotten what password they set, then they're obviously not too precious about it being the same password. Reset it to something random, send it to them via email (handy for confirming their email address is still valid), and let them login with that password, and change it to something else if they wish. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
No, it's not reversable. When a user loses their password, you must generate a new one. To stop malicious users from requesting a new password for a user they dislike with a program (and stopping the user from logging in, since their password keeps changing), a link with a random code is sent to their email. The password is only changed when they visit the link, with the random code being correct. Vernon wrote: I'm thinking that the MD5 function more than likely encrypts a password to store into a database, and when you log in using the MD5 function it will simply encrypt the value being passed along again the same way. Now I'm wondering what happens when I user has lost there password and needs to retrieve it, there is no way to reverse the process is there? Thanks -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
On Mon, 17 Feb 2003, Vernon wrote: >I'm thinking that the MD5 function more than likely encrypts a password to >store into a database, and when you log in using the MD5 function it will >simply encrypt the value being passed along again the same way. Now I'm >wondering what happens when I user has lost there password and needs to >retrieve it, there is no way to reverse the process is there? md5 is one-way encryption. I use a password 'hint' field in conjunction with md5. -- Greg Donald http://destiney.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
