RE: [PHP-DB] md5() function
Thanks every body for your replies!! It is clear to me that I can not reverse a hased string!! Thanks!!! Guirao -Original Message- From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: Lunes, 14 de Enero de 2008 02:04 p.m. Cc: php-db@lists.php.net Subject: Re: [PHP-DB] md5() function Steven Cruz wrote: > Hello; > > I maybe wrong, but I believe it is one way. What you need to do is take > your input and encrypt it and check if matches your current encrypted > value. :) > > peace and hugs. > > Miguel Guirao wrote: >> Hi!! >> >> I'm using the md5() function to encrypt a password and store it into a >> database. Now I want to retrieve that MD5 password and convert it into >> it's >> human readable condition. >> Is there a function opposite to md5()?? >> >> Best Regards, >> >> M Guirao >> >> > If you want to do a comparison on the md5() hash you just created you could always run your SQL query like: SELECT * FROM `table` WHERE `password` = md5( $password ) LIMIT 1; That will return a true or false value based on the md5() hash of the $password var. But you cannot reverse the md5 hash to obtain the original value unless you perform a crack on it using software available software. I think what you are looking for is the base64_encode() and base64_decode() functions which will perform a simple encoding of data. -- Jason Gerfen "I practice my religion while stepping on your toes..." ~The Ditty Bops -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
Steven Cruz wrote: > Hello; > > I maybe wrong, but I believe it is one way. What you need to do is take > your input and encrypt it and check if matches your current encrypted > value. :) > > peace and hugs. > > Miguel Guirao wrote: >> Hi!! >> >> I'm using the md5() function to encrypt a password and store it into a >> database. Now I want to retrieve that MD5 password and convert it into >> it's >> human readable condition. >> Is there a function opposite to md5()?? >> >> Best Regards, >> >> M Guirao >> >> > If you want to do a comparison on the md5() hash you just created you could always run your SQL query like: SELECT * FROM `table` WHERE `password` = md5( $password ) LIMIT 1; That will return a true or false value based on the md5() hash of the $password var. But you cannot reverse the md5 hash to obtain the original value unless you perform a crack on it using software available software. I think what you are looking for is the base64_encode() and base64_decode() functions which will perform a simple encoding of data. -- Jason Gerfen "I practice my religion while stepping on your toes..." ~The Ditty Bops -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
On Jan 14, 2008 2:26 PM, Miguel Guirao <[EMAIL PROTECTED]> wrote: > Hi!! > > I'm using the md5() function to encrypt a password and store it into a > database. Now I want to retrieve that MD5 password and convert it into it's > human readable condition. > Is there a function opposite to md5()?? Negative. Once it's hashed with an MD5, SHA1, or similar encryption method, it's (as of now) impossible to reverse. You could create a table with a column of unencrypted phrases, characters, and combinations, with a second column containing the correlating hashed string, but that's about it. -- Daniel P. Brown Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since Nineteen-Seventy-[mumble]. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
MD5 is also known as an one-way crypt system; you can encryptit but never unencrypted; only using brute force or a hash list you can retrive a 'string' that it's hash is the one stored; but it is not necesary the same original string; this is also known as a hash collision. So, in short... no, there isn't a unMd5(). If you need to retrive the original string, try GPG. On 14/01/2008, Miguel Guirao <[EMAIL PROTECTED]> wrote: > Hi!! > > I'm using the md5() function to encrypt a password and store it into a > database. Now I want to retrieve that MD5 password and convert it into it's > human readable condition. > Is there a function opposite to md5()?? > > Best Regards, > > M Guirao > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Atte, Andrés G. Montañez Técnico en Redes y Telecomunicaciones Montevideo - Uruguay -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5() function
Hello; I maybe wrong, but I believe it is one way. What you need to do is take your input and encrypt it and check if matches your current encrypted value. :) peace and hugs. Miguel Guirao wrote: Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] md5() function
Hi!! I'm using the md5() function to encrypt a password and store it into a database. Now I want to retrieve that MD5 password and convert it into it's human readable condition. Is there a function opposite to md5()?? Best Regards, M Guirao -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
On 4/18/06, Giff Hammar <[EMAIL PROTECTED]> wrote: > For an example, look at how UNIX/Linux stores regular login passwords. In > short, the salt is the first two characters in the password. When comparing > passwords, you take the salt and the user supplied password, encrypt, then > compare the two encrypted strings. If they match, the recently supplied > password matches the original. AFAIK, that is the only way to verify > passwords encrypted with a one-way algorithm. I badly worded my response, but yes you're right. Anyway I found the article I was thinking of: http://phpsec.org/articles/2005/password-hashing.html (which ironically suggests the opposite of what I said - use a random salt :P). -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5, MySQL, and salts
you need the key to be easily available, so row id or a set date field(one that does not change as opposed to a timestamp type field) bastien From: "Sean Mumford" <[EMAIL PROTECTED]> To: Subject: [PHP-DB] MD5, MySQL, and salts Date: Mon, 17 Apr 2006 15:33:58 -0400 Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! -Sean -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
True in some form, it always comes down again to the strength and integrity of the original password. Yes, even if a salt is unknown and it is a plain text, dictionary password, then it doesn't take much for a brute force attempt at just using the first two characters of each word and salting it with the word to create the hash and seeing if it matches. But just knowing the two character salt doesn't overly help in decrypting the hash. Using a custom hash particularly using part of the key itself as the hash increases the integrity and uniqueness of the hash by an exponential factor. You have two values now that are affecting the hash output value. Something to chew on... -J B This begs the question of what would this method buy you over MD5? Some people have "issue" with like passwords looking the same with MD5 encryption, also a one way hash. But if you know the salt, then like passwords would also look the same, right? -B Giff Hammar wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.384 / Virus Database: 268.4.2/314 - Release Date: 16/04/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.384 / Virus Database: 268.4.2/314 - Release Date: 16/04/2006 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
This begs the question of what would this method buy you over MD5? Some people have "issue" with like passwords looking the same with MD5 encryption, also a one way hash. But if you know the salt, then like passwords would also look the same, right? -B Giff Hammar wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5, MySQL, and salts
For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: > Hi Guys, > I'm working on securing user passwords in a MySQL 4 database with a > PHP5 frontend. I remember being told in one of my classes (I'm > currently a college junior) that the best way would be to hash a salt > and the password together and then store the hash in the database > instead of the plain MD5 hash. My question is, what is a good method > for the server and the database to agree on a salt value to use? I > know i could use a predefined variable, but I was wondering if > something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: > Hi Guys, > I'm working on securing user passwords in a MySQL 4 database with a PHP5 > frontend. I remember being told in one of my classes (I'm currently a > college junior) that the best way would be to hash a salt and the password > together and then store the hash in the database instead of the plain MD5 > hash. My question is, what is a good method for the server and the database > to agree on a salt value to use? I know i could use a predefined variable, > but I was wondering if something dynamic might be better (timestamp, current > date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5, MySQL, and salts
Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! -Sean
Re: [PHP-DB] md5() and mysql
Mike Baerwolf wrote: I'm looking at using md5() and mysql for user auth to some of the data in a table. I found the following on the php md5 manual page, $query = "INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'))"; $password = md5($password); $query = "SELECT * FROM user WHERE username='DummyUser' AND password='DummyPassword'"; password = '$password'"; I see that nobody will be able to view the password once it's in the database, but I'm thinking that the plain text password is sent to and from the server and someone might be able to snoop the plain text password. Is that right? Yes. That's why you use SSL on your login pages. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals – www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] md5() and mysql
Hello, I'm looking at using md5() and mysql for user auth to some of the data in a table. I found the following on the php md5 manual page, $query = "INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'))"; $password = md5($password); $query = "SELECT * FROM user WHERE username='DummyUser' AND password='DummyPassword'"; I see that nobody will be able to view the password once it's in the database, but I'm thinking that the plain text password is sent to and from the server and someone might be able to snoop the plain text password. Is that right? Thanks for the help, Mike -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tuesday 24 June 2003 22:36, Peter Beckman wrote: > Most sites save/allow an 8 character password. Allowing alphanumerics and > underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481 > or about 5 trillion possible passwords. If you allow more than 8 > characters, that number increases. If you're using md5 then there is no inherent restriction on what characters and number of characters that can be used in the password. The limitations are in the user, they'll probably use their phone number, DOB, dog's name -- anything that's easy to remember ;-) -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tuesday 24 June 2003 21:08, JeRRy wrote: > I guess technically there MUST be a way to break the > barrier where you can reverse it. If there is a way > to make it there is always a way to break it, somehow. > Consider that whatever sized input you give it, after it's been md5'ed, you'll get a 32 char hex string. Now how can a 32 byte string be converted back into a multi-gigabyte file (or whatever)? It is technically possible to create two different inputs which results in the same hash but the chances of that is very remote and hence why md5 is pretty secure. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
It's all dependent on the "seed" the first two characters of the hash You take a password, say "apass" and pass it through md5 Say you get : dFeRDfss3456fdddsas/.. When the user types in their password, this is what happens The string above is retrieved, and the password entered, "apass" is run through md5 WITH THE KNOWN SEED, "dF" The output of md5 will be dFeRDfss3456fdddsas/.. and it is compared to what is stored. If they match, hunky-dory, the auth is granted Upon creating an md5 hash, the seed is randomly generated, so that two users with the same password may have completely different hash strings. Gary Every Sr. UNIX Administrator Ingram Entertainment (615) 287-4876 "Pay It Forward" mailto:[EMAIL PROTECTED] http://accessingram.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2003 4:47 AM > To: JeRRy; [EMAIL PROTECTED] > Subject: Re: [PHP-DB] md5 question! > > > They would be the same, they have to be. If you can de-crypt > it, there has to > be some method of validation. So, if someone choose the same > password as you > did, and you stored those in a DB as encrypted with md5, then > they would look > identical. So, you would know the other person's password. > > > > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > > jerry > > > > and the md5 output was > > SKHDJHDJDHJDHSfdfs > > > > and another user sets their passowrd to the same as > > mine does that mean the md5 output would be identical > > to the last as the same password is entered? > > > > e.g. > > > > User 1: > > Username: Fred > > Password: jerry > > > > User 2: > > Username: notfred > > Password: jerry > > > > Or is each entry unique ? > > > > I'm thinking if each entry was unique than reversing > > the md5 action could be inconclusive. But if the > > output is the same if the same password is entered > > than sure it's reliable. But I could be barking up > > the wrong tree all together here, so correct me if I > > am wrong. I have not used md5 before so learning on > > that behalf. > > > > Jerry > > > > --- [EMAIL PROTECTED] wrote: > Just use brute > > force... > > > Example: > > > md5('password') will ALWAYS produce the same output! > > > So, if I intercept a pmd5 encrypted password that > > > looks like: SKHGDOIUYFB > > > then I could just say: > > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > > > printf("Your password is: %s\n", password); > > > > > > So, just start a loop going through all possible > > > combinations od legal password > > > character and encrypt with md5, then compare. > > > > > > Hard? Not at all, Time consuming, perhaps, but with > > > 3+ Ghz processors coming > > > out you'd be surprised how quickly one could loop > > > through billlions of possible > > > password combinations. Enter distributed > > > environments and it is much fatser. > > > The key is not to rely on passwords but to rely on > > > other system security > > > messures, use SSL, so it is hard to intercept in the > > > first place, make sure > > > your system is secure so these passwords cannot be > > > extracted from your DB > > > without you knowing about it, etc... > > > > > > > > > > > > > Marco, > > > > > > > > Thanks, that's what I originally thought that it > > > was > > > > one way. So websites that have the option to > > > retrieve > > > > password don't use md5? > > > > > > > > I guess technically there MUST be a way to break > > > the > > > > barrier where you can reverse it. If there is a > > > way > > > > to make it there is always a way to break it, > > > somehow. > > > > But what I have heard and read it's very > > > tight > > > > and probably the best method to handle passwords > > > for > > > > now, until something new is released. Which will > > > > happen when md5 is broken, like everything else > > > after > > > > a little bit of time. > > > > > > > > Jerry > > > > > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > > > Jerry--
RE: [PHP-DB] md5 question! [CORRECTED]
My mistake -- I'm wrong here. Through a few emails I learned that it is a 32 character hex value that is returned, not a 32 char alphanumeric. That reduces my estimate of 63*10^48 to 340*10^36, still more than crypt though. My bad, sorry to all who believed me without question! Beckman On Tue, 24 Jun 2003, Peter Beckman wrote: > md5 is also a one-way encryption. crypt also provides 300*10^21 possible > values, whereas md5 provides a possible 63*10^48, or > 63000 * 10^21 possible values. A little bit better > security I'd say. Crypt is fine, md5 is better (a lot better by the > numbers). > > The salt doesn't matter -- it is part of the password. > > The first iteration, the salt is 8m. The next one is v9. The first two > chars are the salt used, so the salt really doesn't make things more > secure. If you are storing the crypt value, you have to first select the > value from your DB, get the first two chars (8m for this example) and do > crypt($form['password'], "8m") > in order to get 8m7UxPXfRw7/2 from crypt. > > With md5 you just say "md5($form['password'])" and send it to your select > statement and see what happens. > > To answer your question, md5 is easier and more secure; however, your > system is only as secure as your password, and if your password is > "password" (one of the most popular passwords in the world) md5 nor crypt > nor the best encryption will help you. > > Peter --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
md5 is also a one-way encryption. crypt also provides 300*10^21 possible values, whereas md5 provides a possible 63*10^48, or 63000 * 10^21 possible values. A little bit better security I'd say. Crypt is fine, md5 is better (a lot better by the numbers). The salt doesn't matter -- it is part of the password. The first iteration, the salt is 8m. The next one is v9. The first two chars are the salt used, so the salt really doesn't make things more secure. If you are storing the crypt value, you have to first select the value from your DB, get the first two chars (8m for this example) and do crypt($form['password'], "8m") in order to get 8m7UxPXfRw7/2 from crypt. With md5 you just say "md5($form['password'])" and send it to your select statement and see what happens. To answer your question, md5 is easier and more secure; however, your system is only as secure as your password, and if your password is "password" (one of the most popular passwords in the world) md5 nor crypt nor the best encryption will help you. Peter On Tue, 24 Jun 2003, Hutchins, Richard wrote: > I already admitted that this stuff was mostly over my head. However, I > started messing around with it a bit and would like to know if the crypt() > function would help Jerry out? > > I tried md5('password') twice in a row and it did return: > 5f4dcc3b5aa765d61d8327deb882cf99 > 5f4dcc3b5aa765d61d8327deb882cf99 > > Then I tried crypt('password') in a 10-step loop and got this: > 8m7UxPXfRw7/2 > v9iuCQikPaf7w > MwV8vcCiqrRbM > lpf02L./2VtiU > KRkddkPGedm2. > LDMEpQwJgY.Mo > 2HW51zTN93I9Y > hyONnFjRN/9bM > W9NKVzVgJ9kLM > nNany7wy2drdQ > > > The code for all of the above if anybody is interested: > > echo md5('password').""; > > echo md5('password').""; > > echo "CRYPT with password"; > for($i=0;$i<10;$i++){ > echo crypt('password').""; > } > } > ?> > > PHP.NET states that there is no decrypt function since crypt() is a one-way > encryption. And given that, by default, it uses a random salt generated by > PHP, why is this not as secure as an MD5 encrypted password? Of course, all > of this is based on the supposition that the database is properly secured. > > I am, by no means, arguing with any of the advice already offered regarding > the MD5 question. However, If what you're looking for is a different > encryption result for the same password, crypt() seems to do it. > > Can somebody explain if this is less secure or less-preferable than MD5? > Even if one were able to decipher the algorithm PHP uses for a crypt() > operation, the salt is supposedly random so having the encryption algorithm > would not be all that useful. > > Am I totally missing something here? > > Rich > > > -Original Message- > > From: Matt Schroebel [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 24, 2003 9:52 AM > > To: JeRRy > > Cc: [EMAIL PROTECTED] > > Subject: RE: [PHP-DB] md5 question! > > > > > > > > > > > -Original Message- > > > From: JeRRy [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, June 24, 2003 9:50 AM > > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > Subject: Re: [PHP-DB] md5 question! > > > > > > > > So with md5 I can > > > retrieve the passwords back to the user if they lose > > > them via email. > > > > No, you can't. You'll need to generate a new password, md5 > > it, store it > > & mark it expired, timestamp it so it's only valid for, say, > > 30 minutes, > > email it, and finally, force the person to choose a new password when > > they sign in. > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Most sites save/allow an 8 character password. Allowing alphanumerics and underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481 or about 5 trillion possible passwords. If you allow more than 8 characters, that number increases. On Tue, 24 Jun 2003, Marco Tabini wrote: > On Tue, 2003-06-24 at 09:36, JeRRy wrote: > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > [snip] > > There are ways to avoid this. Typically, you can add a random token (or > a salt) to the password before you calculate its checksum. This way, two > users with the same password will have two different hashes. > > However, a brute-force approach as the one suggested is *not* quite as > simple and powerful as it looks. assuming that there are even just 62 > valid characters for the password (uppercase+lowercase+digits) to go > over passwords as short as five characters you'd have to do 380,204,032 > iterations. Add one more digit and you're already up to 19,770,609,664. > Sure, these are not insurmountable numbers, but they quickly add up with > more and more characters (and I'm not even counting all the > possibilities when it comes to making this more secure). > > Mt. > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
YOU CAN NOT RECOVER THE ORIGINAL TEXT FROM AN MD5 HASH (unless you have a couple hundred years and nothing to do and want to try all 63*10^48 possibilities). You can look to see if jerry and bob have the same MD5 hash as their password, but unless your store their password in plaintext as well as an md5 hash and you only store the md5 hash, you CANNOT send an email with the original password. MD5 is one-way encryption. On Tue, 24 Jun 2003, [iso-8859-1] JeRRy wrote: > Hi, > > Aha... That's what I thought! :) So with md5 I can > retrieve the passwords back to the user if they lose > them via email. That's what I was seeking an answer > to. Thanks so much. > > Jerry > > --- [EMAIL PROTECTED] wrote: > They would be > the same, they have to be. If you can > > de-crypt it, there has to > > be some method of validation. So, if someone choose > > the same password as you > > did, and you stored those in a DB as encrypted with > > md5, then they would look > > identical. So, you would know the other person's > > password. > > > > > > > > > Hi, > > > > > > Hmmm okay... So if the passowrd was. > > > > > > jerry > > > > > > and the md5 output was > > > SKHDJHDJDHJDHSfdfs > > > > > > and another user sets their passowrd to the same > > as > > > mine does that mean the md5 output would be > > identical > > > to the last as the same password is entered? > > > > > > e.g. > > > > > > User 1: > > > Username: Fred > > > Password: jerry > > > > > > User 2: > > > Username: notfred > > > Password: jerry > > > > > > Or is each entry unique ? > > > > > > I'm thinking if each entry was unique than > > reversing > > > the md5 action could be inconclusive. But if the > > > output is the same if the same password is entered > > > than sure it's reliable. But I could be barking > > up > > > the wrong tree all together here, so correct me if > > I > > > am wrong. I have not used md5 before so learning > > on > > > that behalf. > > > > > > Jerry > > > > > > --- [EMAIL PROTECTED] wrote: > Just use > > brute > > > force... > > > > Example: > > > > md5('password') will ALWAYS produce the same > > output! > > > > So, if I intercept a pmd5 encrypted password > > that > > > > looks like: SKHGDOIUYFB > > > > then I could just say: > > > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > > > > printf("Your password is: %s\n", password); > > > > > > > > So, just start a loop going through all possible > > > > combinations od legal password > > > > character and encrypt with md5, then compare. > > > > > > > > Hard? Not at all, Time consuming, perhaps, but > > with > > > > 3+ Ghz processors coming > > > > out you'd be surprised how quickly one could > > loop > > > > through billlions of possible > > > > password combinations. Enter distributed > > > > environments and it is much fatser. > > > > The key is not to rely on passwords but to rely > > on > > > > other system security > > > > messures, use SSL, so it is hard to intercept in > > the > > > > first place, make sure > > > > your system is secure so these passwords cannot > > be > > > > extracted from your DB > > > > without you knowing about it, etc... > > > > > > > > > > > > > > > > > Marco, > > > > > > > > > > Thanks, that's what I originally thought that > > it > > > > was > > > > > one way. So websites that have the option to > > > > retrieve > > > > > password don't use md5? > > > > > > > > > > I guess technically there MUST be a way to > > break > > > > the > > > > > barrier where you can reverse it. If there is > > a > > > > way > > > > > to make it there is always a way to break it, > > > > somehow. > > > > > But what I have heard and read it's > > very > > > > tight > > > > > and probably the best method to handle > > passwords > > > > for > > > > > now, until something new is released. Which > > will > > > > > happen when md5 is broken, like everything > > else > > > > after > > > > > a little bit of time. > > > > > > > > > > Jerry > > > > > > > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > > > Hi > > > > > Jerry-- > > > > > > > > > > > > No, md5 is a one-way hash. That's why it's > > so > > > > > > safe--because if someone > > > > > > steals the information he still can't tell > > what > > > > the > > > > > > passwords are. > > > > > > > > > > > > You may want to reset the passwords upon > > your > > > > users' > > > > > > request and send it > > > > > > to them via e-mail instead. > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > Marco > > > > > > > > > > > > -- > > > > > > php|architect -- The Magazine for PHP > > > > Professionals > > > > > > Come try us out at http://www.phparch.com > > and > > > > get a > > > > > > free trial issue > > > > > > > > > > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > > > > Hi, > > > > > > > > > > > > > > If I use md5 to handle passwords to my > > > > database is > > > > > > > there a way to reverse the action if > > someone > > > > > > forgets > > > > > > > their password?
RE: [PHP-DB] md5 question!
Sure, but only the first eight characters of the password are actually used to make the hash (IIRC). Marco On Tue, 2003-06-24 at 10:15, Hutchins, Richard wrote: > I already admitted that this stuff was mostly over my head. However, I > started messing around with it a bit and would like to know if the crypt() > function would help Jerry out? > > I tried md5('password') twice in a row and it did return: > 5f4dcc3b5aa765d61d8327deb882cf99 > 5f4dcc3b5aa765d61d8327deb882cf99 > > Then I tried crypt('password') in a 10-step loop and got this: > 8m7UxPXfRw7/2 > v9iuCQikPaf7w > MwV8vcCiqrRbM > lpf02L./2VtiU > KRkddkPGedm2. > LDMEpQwJgY.Mo > 2HW51zTN93I9Y > hyONnFjRN/9bM > W9NKVzVgJ9kLM > nNany7wy2drdQ > > > The code for all of the above if anybody is interested: > > echo md5('password').""; > > echo md5('password').""; > > echo "CRYPT with password"; > for($i=0;$i<10;$i++){ > echo crypt('password').""; > } > } > ?> > > PHP.NET states that there is no decrypt function since crypt() is a one-way > encryption. And given that, by default, it uses a random salt generated by > PHP, why is this not as secure as an MD5 encrypted password? Of course, all > of this is based on the supposition that the database is properly secured. > > I am, by no means, arguing with any of the advice already offered regarding > the MD5 question. However, If what you're looking for is a different > encryption result for the same password, crypt() seems to do it. > > Can somebody explain if this is less secure or less-preferable than MD5? > Even if one were able to decipher the algorithm PHP uses for a crypt() > operation, the salt is supposedly random so having the encryption algorithm > would not be all that useful. > > Am I totally missing something here? > > Rich > > > -Original Message- > > From: Matt Schroebel [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 24, 2003 9:52 AM > > To: JeRRy > > Cc: [EMAIL PROTECTED] > > Subject: RE: [PHP-DB] md5 question! > > > > > > > > > > > -Original Message- > > > From: JeRRy [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, June 24, 2003 9:50 AM > > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > Subject: Re: [PHP-DB] md5 question! > > > > > > > > So with md5 I can > > > retrieve the passwords back to the user if they lose > > > them via email. > > > > No, you can't. You'll need to generate a new password, md5 > > it, store it > > & mark it expired, timestamp it so it's only valid for, say, > > 30 minutes, > > email it, and finally, force the person to choose a new password when > > they sign in. > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Marco Tabini President Marco Tabini & Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
I already admitted that this stuff was mostly over my head. However, I started messing around with it a bit and would like to know if the crypt() function would help Jerry out? I tried md5('password') twice in a row and it did return: 5f4dcc3b5aa765d61d8327deb882cf99 5f4dcc3b5aa765d61d8327deb882cf99 Then I tried crypt('password') in a 10-step loop and got this: 8m7UxPXfRw7/2 v9iuCQikPaf7w MwV8vcCiqrRbM lpf02L./2VtiU KRkddkPGedm2. LDMEpQwJgY.Mo 2HW51zTN93I9Y hyONnFjRN/9bM W9NKVzVgJ9kLM nNany7wy2drdQ The code for all of the above if anybody is interested: "; echo md5('password').""; echo "CRYPT with password"; for($i=0;$i<10;$i++){ echo crypt('password').""; } } ?> PHP.NET states that there is no decrypt function since crypt() is a one-way encryption. And given that, by default, it uses a random salt generated by PHP, why is this not as secure as an MD5 encrypted password? Of course, all of this is based on the supposition that the database is properly secured. I am, by no means, arguing with any of the advice already offered regarding the MD5 question. However, If what you're looking for is a different encryption result for the same password, crypt() seems to do it. Can somebody explain if this is less secure or less-preferable than MD5? Even if one were able to decipher the algorithm PHP uses for a crypt() operation, the salt is supposedly random so having the encryption algorithm would not be all that useful. Am I totally missing something here? Rich > -Original Message- > From: Matt Schroebel [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2003 9:52 AM > To: JeRRy > Cc: [EMAIL PROTECTED] > Subject: RE: [PHP-DB] md5 question! > > > > > > -Original Message- > > From: JeRRy [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 24, 2003 9:50 AM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Re: [PHP-DB] md5 question! > > > > > So with md5 I can > > retrieve the passwords back to the user if they lose > > them via email. > > No, you can't. You'll need to generate a new password, md5 > it, store it > & mark it expired, timestamp it so it's only valid for, say, > 30 minutes, > email it, and finally, force the person to choose a new password when > they sign in. > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
> -Original Message- > From: JeRRy [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2003 9:50 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [PHP-DB] md5 question! > > So with md5 I can > retrieve the passwords back to the user if they lose > them via email. No, you can't. You'll need to generate a new password, md5 it, store it & mark it expired, timestamp it so it's only valid for, say, 30 minutes, email it, and finally, force the person to choose a new password when they sign in. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Aha... Thanks. I guess there is no need to add a salt if I'm the only admin using the database interface. But I guess if you want to be more secure etc it would be best to add it so if someone grabbed the database they will find no matches. I really have to look into making my databases more secure than they already are. Any good websites that is good reading for this? I mean reliable sites with no bull ***rubbish*** which does not send on the wrong messages. Jerry --- Marco Tabini <[EMAIL PROTECTED]> wrote: > On Tue, 2003-06-24 at 09:36, JeRRy wrote: > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > [snip] > > There are ways to avoid this. Typically, you can add > a random token (or > a salt) to the password before you calculate its > checksum. This way, two > users with the same password will have two different > hashes. > > However, a brute-force approach as the one suggested > is *not* quite as > simple and powerful as it looks. assuming that there > are even just 62 > valid characters for the password > (uppercase+lowercase+digits) to go > over passwords as short as five characters you'd > have to do 380,204,032 > iterations. Add one more digit and you're already up > to 19,770,609,664. > Sure, these are not insurmountable numbers, but they > quickly add up with > more and more characters (and I'm not even counting > all the > possibilities when it comes to making this more > secure). > > Mt. > http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
md5() will always return the same for the same string, how else can you verify that the user entered their password? everytime they log in, you have to encrypt what they typed in $pword=md5($pword); select * from users where uname='$uname' and pword='$pword' and see if it matches the password they registered with, if md5() gave you different output, then you could never verify thier password. Eddie -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:45 AM To: Marco Tabini Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! Marco, Okay I just replied to another post asking if md5 outputs a different output if the same password was entered by more than 1 user. I think the answer to that is explained by you below. If true, if more than 1 user had an identical password to another the md5 output would be unique for each user. So a different md5 output even though the same password. Because if: it's mathematically impossible to retrieve > the original > password starting from the hash... which is a Good > Thing(tm) :-) ... is true than a different md5 output must be outputed for each password even if it's the same as another. Because if it was "the same" md5 output it would than be possible to reverse the md5 back to plain text? Well I woudl think so, because it's the same. I just recieved an email to my inbox saying there is a way to reverse it. So I really have no idea what to think, instead I'm going to give the examples I have recieved a go and see what happens. Thanks everyone for your help/feedback/ideas and code on this subject, it's been overwhelming. Very much appreciated. Jerry --- Marco Tabini <[EMAIL PROTECTED]> wrote: > On Tue, 2003-06-24 at 09:08, JeRRy wrote: > > I guess technically there MUST be a way to break > the > > barrier where you can reverse it. If there is a > way > > to make it there is always a way to break it, > somehow. > > But what I have heard and read it's very > tight > > and probably the best method to handle passwords > for > > now, until something new is released. Which will > > happen when md5 is broken, like everything else > after > > a little bit of time. > > Well, that's not necessarily true. Take something as > simple as an > integer division. Say that in order calculate your > hash you divide any > number by 3 and discard the remainder. The result > '4' could mean that > your original number could be anywhere between 12 > and 14, for example, > so that even if you know that method that was used > to calculate the hash > you couldn't determine the original password from > it. md5 works on a > similar basis, although a bit (but not that much) > more complicated. So > you see, it's mathematically impossible to retrieve > the original > password starting from the hash... which is a Good > Thing(tm) :-) > > > Marco > > -- > php|architect -- The Magazine for PHP Professionals > Come try us out at http://www.phparch.com and get a > free trial issue > > > > > > > Jerry > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > Jerry-- > > > > > > No, md5 is a one-way hash. That's why it's so > > > safe--because if someone > > > steals the information he still can't tell what > the > > > passwords are. > > > > > > You may want to reset the passwords upon your > users' > > > request and send it > > > to them via e-mail instead. > > > > > > Cheers, > > > > > > > > > Marco > > > > > > -- > > > php|architect -- The Magazine for PHP > Professionals > > > Come try us out at http://www.phparch.com and > get a > > > free trial issue > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > Hi, > > > > > > > > If I use md5 to handle passwords to my > database is > > > > there a way to reverse the action if someone > > > forgets > > > > their password? Is there a way for me to > decode > > > the > > > > 32bit to plain text? > > > > > > > > Jerry > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > -- > > > > > > Marco Tabini > > > President > > > > > > Marco Tabini & Associates, Inc. > > > 28 Bombay Avenue > > > Toronto, ON M3H 1B7 &g
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:45, JeRRy wrote: > If true, if more than 1 user had an identical password > to another the md5 output would be unique for each > user. So a different md5 output even though the same > password. Because if: > > > it's mathematically impossible to retrieve > > the original > > password starting from the hash... which is a Good > > Thing(tm) :-) > > > ... is true than a different md5 output must be > outputed for each password even if it's the same as > another. Because if it was "the same" md5 output it > would than be possible to reverse the md5 back to > plain text? Well I woudl think so, because it's the > same. No, these are two unrelated concepts, in fact they contradict each other. If two passwords *can* have the same hash (which is well possible), then you can't tell the password from the hash. > I just recieved an email to my inbox saying there is a > way to reverse it. So I really have no idea what to > think, instead I'm going to give the examples I have > recieved a go and see what happens. Well, I haven't heard of md5 being broken, although it's been claimed that it is breakable. I'd love to see the references they have sent you! Cheers, Marco > > Thanks everyone for your help/feedback/ideas and code > on this subject, it's been overwhelming. Very much > appreciated. > > Jerry > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > On Tue, > 2003-06-24 at 09:08, JeRRy wrote: > > > I guess technically there MUST be a way to break > > the > > > barrier where you can reverse it. If there is a > > way > > > to make it there is always a way to break it, > > somehow. > > > But what I have heard and read it's very > > tight > > > and probably the best method to handle passwords > > for > > > now, until something new is released. Which will > > > happen when md5 is broken, like everything else > > after > > > a little bit of time. > > > > Well, that's not necessarily true. Take something as > > simple as an > > integer division. Say that in order calculate your > > hash you divide any > > number by 3 and discard the remainder. The result > > '4' could mean that > > your original number could be anywhere between 12 > > and 14, for example, > > so that even if you know that method that was used > > to calculate the hash > > you couldn't determine the original password from > > it. md5 works on a > > similar basis, although a bit (but not that much) > > more complicated. So > > you see, it's mathematically impossible to retrieve > > the original > > password starting from the hash... which is a Good > > Thing(tm) :-) > > > > > > Marco > > > > -- > > php|architect -- The Magazine for PHP Professionals > > Come try us out at http://www.phparch.com and get a > > free trial issue > > > > > > > > > > > Jerry > > > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > > Jerry-- > > > > > > > > No, md5 is a one-way hash. That's why it's so > > > > safe--because if someone > > > > steals the information he still can't tell what > > the > > > > passwords are. > > > > > > > > You may want to reset the passwords upon your > > users' > > > > request and send it > > > > to them via e-mail instead. > > > > > > > > Cheers, > > > > > > > > > > > > Marco > > > > > > > > -- > > > > php|architect -- The Magazine for PHP > > Professionals > > > > Come try us out at http://www.phparch.com and > > get a > > > > free trial issue > > > > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > > Hi, > > > > > > > > > > If I use md5 to handle passwords to my > > database is > > > > > there a way to reverse the action if someone > > > > forgets > > > > > their password? Is there a way for me to > > decode > > > > the > > > > > 32bit to plain text? > > > > > > > > > > Jerry > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > > - Check & compose your email via SMS on your > > > > Telstra or Vodafone mobile. > > > > -- > > > > > > > > Marco Tabini > > > > President > > > > > > > > Marco Tabini & Associates, Inc. > > > > 28 Bombay Avenue > > > > Toronto, ON M3H 1B7 > > > > Canada > > > > > > > > Phone: (416) 630-6202 > > > > Fax: (416) 630-5057 > > > > Web: http://www.tabini.ca > > > > > > > > > > > > -- > > > > PHP Database Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > - Check & compose your email via SMS on your > > Telstra or Vodafone mobile. > > -- > > > > Marco Tabini > > President > > > > Marco Tabini & Associates, Inc. > > 28 Bombay Avenue > > Toronto, ON M3H 1B7 > > Canada > > > > Phone: (416) 630-6202 > > Fax: (416) 630-5057 > > Web: http://www.tabini.ca > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > - Check & compose your email via SMS on your Telstra or Vo
Re: [PHP-DB] md5 question!
Hi, Aha... That's what I thought! :) So with md5 I can retrieve the passwords back to the user if they lose them via email. That's what I was seeking an answer to. Thanks so much. Jerry --- [EMAIL PROTECTED] wrote: > They would be the same, they have to be. If you can > de-crypt it, there has to > be some method of validation. So, if someone choose > the same password as you > did, and you stored those in a DB as encrypted with > md5, then they would look > identical. So, you would know the other person's > password. > > > > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > > jerry > > > > and the md5 output was > > SKHDJHDJDHJDHSfdfs > > > > and another user sets their passowrd to the same > as > > mine does that mean the md5 output would be > identical > > to the last as the same password is entered? > > > > e.g. > > > > User 1: > > Username: Fred > > Password: jerry > > > > User 2: > > Username: notfred > > Password: jerry > > > > Or is each entry unique ? > > > > I'm thinking if each entry was unique than > reversing > > the md5 action could be inconclusive. But if the > > output is the same if the same password is entered > > than sure it's reliable. But I could be barking > up > > the wrong tree all together here, so correct me if > I > > am wrong. I have not used md5 before so learning > on > > that behalf. > > > > Jerry > > > > --- [EMAIL PROTECTED] wrote: > Just use > brute > > force... > > > Example: > > > md5('password') will ALWAYS produce the same > output! > > > So, if I intercept a pmd5 encrypted password > that > > > looks like: SKHGDOIUYFB > > > then I could just say: > > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > > > printf("Your password is: %s\n", password); > > > > > > So, just start a loop going through all possible > > > combinations od legal password > > > character and encrypt with md5, then compare. > > > > > > Hard? Not at all, Time consuming, perhaps, but > with > > > 3+ Ghz processors coming > > > out you'd be surprised how quickly one could > loop > > > through billlions of possible > > > password combinations. Enter distributed > > > environments and it is much fatser. > > > The key is not to rely on passwords but to rely > on > > > other system security > > > messures, use SSL, so it is hard to intercept in > the > > > first place, make sure > > > your system is secure so these passwords cannot > be > > > extracted from your DB > > > without you knowing about it, etc... > > > > > > > > > > > > > Marco, > > > > > > > > Thanks, that's what I originally thought that > it > > > was > > > > one way. So websites that have the option to > > > retrieve > > > > password don't use md5? > > > > > > > > I guess technically there MUST be a way to > break > > > the > > > > barrier where you can reverse it. If there is > a > > > way > > > > to make it there is always a way to break it, > > > somehow. > > > > But what I have heard and read it's > very > > > tight > > > > and probably the best method to handle > passwords > > > for > > > > now, until something new is released. Which > will > > > > happen when md5 is broken, like everything > else > > > after > > > > a little bit of time. > > > > > > > > Jerry > > > > > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > > Hi > > > > Jerry-- > > > > > > > > > > No, md5 is a one-way hash. That's why it's > so > > > > > safe--because if someone > > > > > steals the information he still can't tell > what > > > the > > > > > passwords are. > > > > > > > > > > You may want to reset the passwords upon > your > > > users' > > > > > request and send it > > > > > to them via e-mail instead. > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > Marco > > > > > > > > > > -- > > > > > php|architect -- The Magazine for PHP > > > Professionals > > > > > Come try us out at http://www.phparch.com > and > > > get a > > > > > free trial issue > > > > > > > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > > > Hi, > > > > > > > > > > > > If I use md5 to handle passwords to my > > > database is > > > > > > there a way to reverse the action if > someone > > > > > forgets > > > > > > their password? Is there a way for me to > > > decode > > > > > the > > > > > > 32bit to plain text? > > > > > > > > > > > > Jerry > > > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > > > - Check & compose your email via SMS on > your > > > > > Telstra or Vodafone mobile. > > > > > -- > > > > > > > > > > Marco Tabini > > > > > President > > > > > > > > > > Marco Tabini & Associates, Inc. > > > > > 28 Bombay Avenue > > > > > Toronto, ON M3H 1B7 > > > > > Canada > > > > > > > > > > Phone: (416) 630-6202 > > > > > Fax: (416) 630-5057 > > > > > Web: http://www.tabini.ca > > > > > > > > > > > > > > > -- > > > > > PHP Database Mailing List > (http://www.php.net/) > > > > > To unsubscribe, visit: > > > http://www.php.net/unsub.php > > > > > > > > >
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:36, JeRRy wrote: > Hi, > > Hmmm okay... So if the passowrd was. > [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
They would be the same, they have to be. If you can de-crypt it, there has to be some method of validation. So, if someone choose the same password as you did, and you stored those in a DB as encrypted with md5, then they would look identical. So, you would know the other person's password. > Hi, > > Hmmm okay... So if the passowrd was. > > jerry > > and the md5 output was > SKHDJHDJDHJDHSfdfs > > and another user sets their passowrd to the same as > mine does that mean the md5 output would be identical > to the last as the same password is entered? > > e.g. > > User 1: > Username: Fred > Password: jerry > > User 2: > Username: notfred > Password: jerry > > Or is each entry unique ? > > I'm thinking if each entry was unique than reversing > the md5 action could be inconclusive. But if the > output is the same if the same password is entered > than sure it's reliable. But I could be barking up > the wrong tree all together here, so correct me if I > am wrong. I have not used md5 before so learning on > that behalf. > > Jerry > > --- [EMAIL PROTECTED] wrote: > Just use brute > force... > > Example: > > md5('password') will ALWAYS produce the same output! > > So, if I intercept a pmd5 encrypted password that > > looks like: SKHGDOIUYFB > > then I could just say: > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > > printf("Your password is: %s\n", password); > > > > So, just start a loop going through all possible > > combinations od legal password > > character and encrypt with md5, then compare. > > > > Hard? Not at all, Time consuming, perhaps, but with > > 3+ Ghz processors coming > > out you'd be surprised how quickly one could loop > > through billlions of possible > > password combinations. Enter distributed > > environments and it is much fatser. > > The key is not to rely on passwords but to rely on > > other system security > > messures, use SSL, so it is hard to intercept in the > > first place, make sure > > your system is secure so these passwords cannot be > > extracted from your DB > > without you knowing about it, etc... > > > > > > > > > Marco, > > > > > > Thanks, that's what I originally thought that it > > was > > > one way. So websites that have the option to > > retrieve > > > password don't use md5? > > > > > > I guess technically there MUST be a way to break > > the > > > barrier where you can reverse it. If there is a > > way > > > to make it there is always a way to break it, > > somehow. > > > But what I have heard and read it's very > > tight > > > and probably the best method to handle passwords > > for > > > now, until something new is released. Which will > > > happen when md5 is broken, like everything else > > after > > > a little bit of time. > > > > > > Jerry > > > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > > Jerry-- > > > > > > > > No, md5 is a one-way hash. That's why it's so > > > > safe--because if someone > > > > steals the information he still can't tell what > > the > > > > passwords are. > > > > > > > > You may want to reset the passwords upon your > > users' > > > > request and send it > > > > to them via e-mail instead. > > > > > > > > Cheers, > > > > > > > > > > > > Marco > > > > > > > > -- > > > > php|architect -- The Magazine for PHP > > Professionals > > > > Come try us out at http://www.phparch.com and > > get a > > > > free trial issue > > > > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > > Hi, > > > > > > > > > > If I use md5 to handle passwords to my > > database is > > > > > there a way to reverse the action if someone > > > > forgets > > > > > their password? Is there a way for me to > > decode > > > > the > > > > > 32bit to plain text? > > > > > > > > > > Jerry > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > > - Check & compose your email via SMS on your > > > > Telstra or Vodafone mobile. > > > > -- > > > > > > > > Marco Tabini > > > > President > > > > > > > > Marco Tabini & Associates, Inc. > > > > 28 Bombay Avenue > > > > Toronto, ON M3H 1B7 > > > > Canada > > > > > > > > Phone: (416) 630-6202 > > > > Fax: (416) 630-5057 > > > > Web: http://www.tabini.ca > > > > > > > > > > > > -- > > > > PHP Database Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > - Check & compose your email via SMS on your > > Telstra or Vodafone mobile. > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > - Check & compose your email via SMS on your Telstra or Vodafone mobile. > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:
Re: [PHP-DB] md5 question!
Marco, Okay I just replied to another post asking if md5 outputs a different output if the same password was entered by more than 1 user. I think the answer to that is explained by you below. If true, if more than 1 user had an identical password to another the md5 output would be unique for each user. So a different md5 output even though the same password. Because if: it's mathematically impossible to retrieve > the original > password starting from the hash... which is a Good > Thing(tm) :-) ... is true than a different md5 output must be outputed for each password even if it's the same as another. Because if it was "the same" md5 output it would than be possible to reverse the md5 back to plain text? Well I woudl think so, because it's the same. I just recieved an email to my inbox saying there is a way to reverse it. So I really have no idea what to think, instead I'm going to give the examples I have recieved a go and see what happens. Thanks everyone for your help/feedback/ideas and code on this subject, it's been overwhelming. Very much appreciated. Jerry --- Marco Tabini <[EMAIL PROTECTED]> wrote: > On Tue, 2003-06-24 at 09:08, JeRRy wrote: > > I guess technically there MUST be a way to break > the > > barrier where you can reverse it. If there is a > way > > to make it there is always a way to break it, > somehow. > > But what I have heard and read it's very > tight > > and probably the best method to handle passwords > for > > now, until something new is released. Which will > > happen when md5 is broken, like everything else > after > > a little bit of time. > > Well, that's not necessarily true. Take something as > simple as an > integer division. Say that in order calculate your > hash you divide any > number by 3 and discard the remainder. The result > '4' could mean that > your original number could be anywhere between 12 > and 14, for example, > so that even if you know that method that was used > to calculate the hash > you couldn't determine the original password from > it. md5 works on a > similar basis, although a bit (but not that much) > more complicated. So > you see, it's mathematically impossible to retrieve > the original > password starting from the hash... which is a Good > Thing(tm) :-) > > > Marco > > -- > php|architect -- The Magazine for PHP Professionals > Come try us out at http://www.phparch.com and get a > free trial issue > > > > > > > Jerry > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > Jerry-- > > > > > > No, md5 is a one-way hash. That's why it's so > > > safe--because if someone > > > steals the information he still can't tell what > the > > > passwords are. > > > > > > You may want to reset the passwords upon your > users' > > > request and send it > > > to them via e-mail instead. > > > > > > Cheers, > > > > > > > > > Marco > > > > > > -- > > > php|architect -- The Magazine for PHP > Professionals > > > Come try us out at http://www.phparch.com and > get a > > > free trial issue > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > Hi, > > > > > > > > If I use md5 to handle passwords to my > database is > > > > there a way to reverse the action if someone > > > forgets > > > > their password? Is there a way for me to > decode > > > the > > > > 32bit to plain text? > > > > > > > > Jerry > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > -- > > > > > > Marco Tabini > > > President > > > > > > Marco Tabini & Associates, Inc. > > > 28 Bombay Avenue > > > Toronto, ON M3H 1B7 > > > Canada > > > > > > Phone: (416) 630-6202 > > > Fax: (416) 630-5057 > > > Web: http://www.tabini.ca > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: > http://www.php.net/unsub.php > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your > Telstra or Vodafone mobile. > -- > > Marco Tabini > President > > Marco Tabini & Associates, Inc. > 28 Bombay Avenue > Toronto, ON M3H 1B7 > Canada > > Phone: (416) 630-6202 > Fax: (416) 630-5057 > Web: http://www.tabini.ca > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
md5 returns a 32 char hexdec string. I'm not sure where you get an 11 char alpha string from md5... Since the MD5 is 32 chars in length, with 36 possibilities for each char, that leaves us with 36^32, or 63340286662973277706162286946811886609896461828096 or 63,340,286,662,973,276,904,018,768,749,012,366,609,829,142,200,320 after using number_format. What is that? A little more than the billions of possibilities you suggest would exist... Hmmm, that's 63 quindecillion, or like 63 * 10^48. Ouch. I think even with 3+ Ghz processors you might have to wait a few years. Months? Maybe distributed, but doubtful. Given that it took 4 years to go through 15,769,938,165,961,326,592 keys (out of a possible 18,446,744,073,709,551,616) to break 64 bit RSA encryption. Thats 18 * 10^18 total possible keys. That's a lot less than 63 * 10^48 and it took 4 years and 331,000 computers. http://www.pcw.co.uk/News/1135452 >From the PHP manual: http://php.net/md5 Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5 Message-Digest Algorithm, and returns that hash. The hash is a 32-character hexadecimal number. If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16. Beckman On Tue, 24 Jun 2003 [EMAIL PROTECTED] wrote: > Just use brute force... > Example: > md5('password') will ALWAYS produce the same output! > So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB > then I could just say: > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > printf("Your password is: %s\n", password); > > So, just start a loop going through all possible combinations od legal password > character and encrypt with md5, then compare. > > Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming > out you'd be surprised how quickly one could loop through billlions of possible > password combinations. Enter distributed environments and it is much fatser. > The key is not to rely on passwords but to rely on other system security > messures, use SSL, so it is hard to intercept in the first place, make sure > your system is secure so these passwords cannot be extracted from your DB > without you knowing about it, etc... > > > > > Marco, > > > > Thanks, that's what I originally thought that it was > > one way. So websites that have the option to retrieve > > password don't use md5? > > > > I guess technically there MUST be a way to break the > > barrier where you can reverse it. If there is a way > > to make it there is always a way to break it, somehow. > > But what I have heard and read it's very tight > > and probably the best method to handle passwords for > > now, until something new is released. Which will > > happen when md5 is broken, like everything else after > > a little bit of time. > > > > Jerry > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > Jerry-- > > > > > > No, md5 is a one-way hash. That's why it's so > > > safe--because if someone > > > steals the information he still can't tell what the > > > passwords are. > > > > > > You may want to reset the passwords upon your users' > > > request and send it > > > to them via e-mail instead. > > > > > > Cheers, > > > > > > > > > Marco > > > > > > -- > > > php|architect -- The Magazine for PHP Professionals > > > Come try us out at http://www.phparch.com and get a > > > free trial issue > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > Hi, > > > > > > > > If I use md5 to handle passwords to my database is > > > > there a way to reverse the action if someone > > > forgets > > > > their password? Is there a way for me to decode > > > the > > > > 32bit to plain text? > > > > > > > > Jerry > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > -- > > > > > > Marco Tabini > > > President > > > > > > Marco Tabini & Associates, Inc. > > > 28 Bombay Avenue > > > Toronto, ON M3H 1B7 > > > Canada > > > > > > Phone: (416) 630-6202 > > > Fax: (416) 630-5057 > > > Web: http://www.tabini.ca > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your Telstra or Vodafone mobile. > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.
Re: [PHP-DB] md5 question!
Hi, Hmmm okay... So if the passowrd was. jerry and the md5 output was SKHDJHDJDHJDHSfdfs and another user sets their passowrd to the same as mine does that mean the md5 output would be identical to the last as the same password is entered? e.g. User 1: Username: Fred Password: jerry User 2: Username: notfred Password: jerry Or is each entry unique ? I'm thinking if each entry was unique than reversing the md5 action could be inconclusive. But if the output is the same if the same password is entered than sure it's reliable. But I could be barking up the wrong tree all together here, so correct me if I am wrong. I have not used md5 before so learning on that behalf. Jerry --- [EMAIL PROTECTED] wrote: > Just use brute force... > Example: > md5('password') will ALWAYS produce the same output! > So, if I intercept a pmd5 encrypted password that > looks like: SKHGDOIUYFB > then I could just say: > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > printf("Your password is: %s\n", password); > > So, just start a loop going through all possible > combinations od legal password > character and encrypt with md5, then compare. > > Hard? Not at all, Time consuming, perhaps, but with > 3+ Ghz processors coming > out you'd be surprised how quickly one could loop > through billlions of possible > password combinations. Enter distributed > environments and it is much fatser. > The key is not to rely on passwords but to rely on > other system security > messures, use SSL, so it is hard to intercept in the > first place, make sure > your system is secure so these passwords cannot be > extracted from your DB > without you knowing about it, etc... > > > > > Marco, > > > > Thanks, that's what I originally thought that it > was > > one way. So websites that have the option to > retrieve > > password don't use md5? > > > > I guess technically there MUST be a way to break > the > > barrier where you can reverse it. If there is a > way > > to make it there is always a way to break it, > somehow. > > But what I have heard and read it's very > tight > > and probably the best method to handle passwords > for > > now, until something new is released. Which will > > happen when md5 is broken, like everything else > after > > a little bit of time. > > > > Jerry > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > Jerry-- > > > > > > No, md5 is a one-way hash. That's why it's so > > > safe--because if someone > > > steals the information he still can't tell what > the > > > passwords are. > > > > > > You may want to reset the passwords upon your > users' > > > request and send it > > > to them via e-mail instead. > > > > > > Cheers, > > > > > > > > > Marco > > > > > > -- > > > php|architect -- The Magazine for PHP > Professionals > > > Come try us out at http://www.phparch.com and > get a > > > free trial issue > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > Hi, > > > > > > > > If I use md5 to handle passwords to my > database is > > > > there a way to reverse the action if someone > > > forgets > > > > their password? Is there a way for me to > decode > > > the > > > > 32bit to plain text? > > > > > > > > Jerry > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > -- > > > > > > Marco Tabini > > > President > > > > > > Marco Tabini & Associates, Inc. > > > 28 Bombay Avenue > > > Toronto, ON M3H 1B7 > > > Canada > > > > > > Phone: (416) 630-6202 > > > Fax: (416) 630-5057 > > > Web: http://www.tabini.ca > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: > http://www.php.net/unsub.php > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your > Telstra or Vodafone mobile. > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: > http://www.php.net/unsub.php > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
This is waaay over my head, but if any of you are interested: http://www.faqs.org/rfcs/rfc1321 I just read it and have come to the conclusion that MD5 is a small, British sports car ;^) Rich > -Original Message- > From: Marco Tabini [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2003 9:30 AM > To: JeRRy > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP-DB] md5 question! > > > On Tue, 2003-06-24 at 09:08, JeRRy wrote: > > I guess technically there MUST be a way to break the > > barrier where you can reverse it. If there is a way > > to make it there is always a way to break it, somehow. > > But what I have heard and read it's very tight > > and probably the best method to handle passwords for > > now, until something new is released. Which will > > happen when md5 is broken, like everything else after > > a little bit of time. > > Well, that's not necessarily true. Take something as simple as an > integer division. Say that in order calculate your hash you divide any > number by 3 and discard the remainder. The result '4' could mean that > your original number could be anywhere between 12 and 14, for example, > so that even if you know that method that was used to > calculate the hash > you couldn't determine the original password from it. md5 works on a > similar basis, although a bit (but not that much) more complicated. So > you see, it's mathematically impossible to retrieve the original > password starting from the hash... which is a Good Thing(tm) :-) > > > Marco > > -- > php|architect -- The Magazine for PHP Professionals > Come try us out at http://www.phparch.com and get a free trial issue > > > > > > > Jerry > > > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > > Jerry-- > > > > > > No, md5 is a one-way hash. That's why it's so > > > safe--because if someone > > > steals the information he still can't tell what the > > > passwords are. > > > > > > You may want to reset the passwords upon your users' > > > request and send it > > > to them via e-mail instead. > > > > > > Cheers, > > > > > > > > > Marco > > > > > > -- > > > php|architect -- The Magazine for PHP Professionals > > > Come try us out at http://www.phparch.com and get a > > > free trial issue > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > Hi, > > > > > > > > If I use md5 to handle passwords to my database is > > > > there a way to reverse the action if someone > > > forgets > > > > their password? Is there a way for me to decode > > > the > > > > 32bit to plain text? > > > > > > > > Jerry > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > -- > > > > > > Marco Tabini > > > President > > > > > > Marco Tabini & Associates, Inc. > > > 28 Bombay Avenue > > > Toronto, ON M3H 1B7 > > > Canada > > > > > > Phone: (416) 630-6202 > > > Fax: (416) 630-5057 > > > Web: http://www.tabini.ca > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your Telstra or > Vodafone mobile. > -- > > Marco Tabini > President > > Marco Tabini & Associates, Inc. > 28 Bombay Avenue > Toronto, ON M3H 1B7 > Canada > > Phone: (416) 630-6202 > Fax: (416) 630-5057 > Web: http://www.tabini.ca > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:08, JeRRy wrote: > I guess technically there MUST be a way to break the > barrier where you can reverse it. If there is a way > to make it there is always a way to break it, somehow. > But what I have heard and read it's very tight > and probably the best method to handle passwords for > now, until something new is released. Which will > happen when md5 is broken, like everything else after > a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue > > > Jerry > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > Jerry-- > > > > No, md5 is a one-way hash. That's why it's so > > safe--because if someone > > steals the information he still can't tell what the > > passwords are. > > > > You may want to reset the passwords upon your users' > > request and send it > > to them via e-mail instead. > > > > Cheers, > > > > > > Marco > > > > -- > > php|architect -- The Magazine for PHP Professionals > > Come try us out at http://www.phparch.com and get a > > free trial issue > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > Hi, > > > > > > If I use md5 to handle passwords to my database is > > > there a way to reverse the action if someone > > forgets > > > their password? Is there a way for me to decode > > the > > > 32bit to plain text? > > > > > > Jerry > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > - Check & compose your email via SMS on your > > Telstra or Vodafone mobile. > > -- > > > > Marco Tabini > > President > > > > Marco Tabini & Associates, Inc. > > 28 Bombay Avenue > > Toronto, ON M3H 1B7 > > Canada > > > > Phone: (416) 630-6202 > > Fax: (416) 630-5057 > > Web: http://www.tabini.ca > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini & Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Speaking of MD5 hashes, I had the idea and the wherewithal to build a site that had a huge pile of passwords and their various matching MD5 hashes, crypts using all 26^2 salts, etc. People could submit passwords (or request that passwords be removed); I'd initially populate it with passwords built from rules used in applications like "john." It would allow sysadmins SOAP access to see if a password was "insecure" quickly and easily. However, the down side to this is that script-kiddies could use the database to break passwords if they can get their grubby little hands on it. I know this is PHP/MySQL list, but I'd write it in PHP/MySQL so it is sort of related. I'd like to hear your thoughts on the pros and cons of such a database. Beckman On Tue, 24 Jun 2003, [iso-8859-1] JeRRy wrote: > Marco, > > Thanks, that's what I originally thought that it was > one way. So websites that have the option to retrieve > password don't use md5? > > I guess technically there MUST be a way to break the > barrier where you can reverse it. If there is a way > to make it there is always a way to break it, somehow. > But what I have heard and read it's very tight > and probably the best method to handle passwords for > now, until something new is released. Which will > happen when md5 is broken, like everything else after > a little bit of time. --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf("Your password is: %s\n", password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... > Marco, > > Thanks, that's what I originally thought that it was > one way. So websites that have the option to retrieve > password don't use md5? > > I guess technically there MUST be a way to break the > barrier where you can reverse it. If there is a way > to make it there is always a way to break it, somehow. > But what I have heard and read it's very tight > and probably the best method to handle passwords for > now, until something new is released. Which will > happen when md5 is broken, like everything else after > a little bit of time. > > Jerry > > --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi > Jerry-- > > > > No, md5 is a one-way hash. That's why it's so > > safe--because if someone > > steals the information he still can't tell what the > > passwords are. > > > > You may want to reset the passwords upon your users' > > request and send it > > to them via e-mail instead. > > > > Cheers, > > > > > > Marco > > > > -- > > php|architect -- The Magazine for PHP Professionals > > Come try us out at http://www.phparch.com and get a > > free trial issue > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > Hi, > > > > > > If I use md5 to handle passwords to my database is > > > there a way to reverse the action if someone > > forgets > > > their password? Is there a way for me to decode > > the > > > 32bit to plain text? > > > > > > Jerry > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > - Check & compose your email via SMS on your > > Telstra or Vodafone mobile. > > -- > > > > Marco Tabini > > President > > > > Marco Tabini & Associates, Inc. > > 28 Bombay Avenue > > Toronto, ON M3H 1B7 > > Canada > > > > Phone: (416) 630-6202 > > Fax: (416) 630-5057 > > Web: http://www.tabini.ca > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > - Check & compose your email via SMS on your Telstra or Vodafone mobile. > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini <[EMAIL PROTECTED]> wrote: > Hi Jerry-- > > No, md5 is a one-way hash. That's why it's so > safe--because if someone > steals the information he still can't tell what the > passwords are. > > You may want to reset the passwords upon your users' > request and send it > to them via e-mail instead. > > Cheers, > > > Marco > > -- > php|architect -- The Magazine for PHP Professionals > Come try us out at http://www.phparch.com and get a > free trial issue > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > Hi, > > > > If I use md5 to handle passwords to my database is > > there a way to reverse the action if someone > forgets > > their password? Is there a way for me to decode > the > > 32bit to plain text? > > > > Jerry > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your > Telstra or Vodafone mobile. > -- > > Marco Tabini > President > > Marco Tabini & Associates, Inc. > 28 Bombay Avenue > Toronto, ON M3H 1B7 > Canada > > Phone: (416) 630-6202 > Fax: (416) 630-5057 > Web: http://www.tabini.ca > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
no. we added to old 'password' question to one of the sites I did for this reason. When the client registered, they picked a question, ssn, mother's maiden name, dog's name, etc and entered an answer. That way if they lost their password, they could go to a 'lost password' area, enter their username, select and answer their question. they were then logged in and could change their password. of course Marco's suggestions is good also, that way you can confirm you are speaking to the actual user before you change their password. Eddie -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] md5 question! Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: > Hi, > > If I use md5 to handle passwords to my database is > there a way to reverse the action if someone forgets > their password? Is there a way for me to decode the > 32bit to plain text? > > Jerry > > http://mobile.yahoo.com.au - Yahoo! Mobile > - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini & Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] md5 question!
Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5 hash problem
> For every password that I store in the database I have found it is the > same string of characters no matter what the original $password is. That is because you have single quotes around your variable so it is not being expanded, so everytime it is the MD5 of the same thing, the string $password. > $pass = MD5('$password'); Change it to MD5($password); or MD5("$password"); -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5 hash problem
Hello list, I am having a problem with MD5(). Every time I try to use this function it seems to work, but I get the same results. Below is what I am trying to do. $pass = MD5('$password'); For every password that I store in the database I have found it is the same string of characters no matter what the original $password is. $pass always = 243e61e9410a9f577d2d662c67025ee9 In other words, it looks like the MD5 function is working but not correctly because it is calculating the hash, but is finding the same hash for every string. Any help would be greatly appreciated. I am new to the whole list process so if I do or say something wrong please do not hate me. Thanks, Mike Mike Calvelage Webmaster / Sales Associate Viper Systems vipersystems.biz [EMAIL PROTECTED] 419-224-8344 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5 Update
> $preencher = mysql_query("SELECT * FROM alemao"); > $update = mysql_query("UPDATE alemao SET codigo = > md5(concat(nome,email))"); > > mysql_close ($db); > > > whats wrong with my code? when I tell him to > > else echo "No"; ?> > > he returns "Insert MD5", but nothing happens in the db... whats wrong? You're query is fine (assuming column names are correct), something has to happen. What do you expect to happen? Your UPDATE query is going to update every row in the table... ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5 Update
Please, help me with this: $preencher = mysql_query("SELECT * FROM alemao"); $update = mysql_query("UPDATE alemao SET codigo = md5(concat(nome,email))"); mysql_close ($db); whats wrong with my code? when I tell him to he returns "Insert MD5", but nothing happens in the db... whats wrong? Thank you in advance, Dani -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5()
> I have to store some CC details in a database which are inputted from a > form, is MD5() the best way to secure the data? If so, how do I view > MD5() data after it has been inserted? Any good MD5() tutorials out > there? Please do your users a favor and do not store credit card numbers on your system. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5()
md5() is a one-way encryption algorithm. So once they are encrypted, you cannot decrypt them. Just look at the md5() function on the php website. It has what you need to do. Of course if you eventually need these back in the clear, then md5 would not be a solution. -Brad Chris Payne wrote: > Hi there everyone, > > I have to store some CC details in a database which are inputted from a form, is > MD5() the best way to secure the data? If so, how do I view MD5() data after it has > been inserted? Any good MD5() tutorials out there? > > Thanks for your help :-) > > Regards > > Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5()
Hi there everyone, I have to store some CC details in a database which are inputted from a form, is MD5() the best way to secure the data? If so, how do I view MD5() data after it has been inserted? Any good MD5() tutorials out there? Thanks for your help :-) Regards Chris
Re: [PHP-DB] MD5 (' ')
> - Original Message - > From: "Ignat Ikryanov" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, August 29, 2001 4:45 PM > Subject: [PHP-DB] MD5 (' ') > > > Hi! > I use md5 function to encrypt users password stored in MySql database. > When I try encrypt string 'asdf' using md5 function I > retrieve: > 912ec803b2ce49e4a541068d495ab570 > But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users > password) 'asdf' string looks like: > $1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1 > > Why results are different? Unix Shadow passwords are actually computed using an alogrithm, md5 is part of that algorithm but not the entire thing. You can immediately tell that $1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1 is not an md5 hash because all md5 hashes are 32 characters and this is 35. Shadow passwords computed with this algorithm are start $1 and then have a 8 character salt surrounded by $'s. The last part of the hash is 22 characters which are computed by the algorithm. So in the above string $1$ indicates that it is a shadow password, and arjq575D is the salt followed by $. I looked around on google for a bit, but could not find the specifc algoritm Debian uses to compute the last 22 characters. I'll let you know if I find it. You might also want to try this script: http://limonez.net/~jure/php/md5crypt.phps I noticed it in the user notes for md5. It says it makes FreeBSD style shadow passwords though, and I am not sure if FreeBSD uses the same algorithm as Debian or not. (I also have not actually verified that the above script does ANYTHING =P ) Good luck. I'll let you know if I find anything specific on Debian. Sheridan Saint-Michel Website Administrator FoxJet, an ITW Company www.foxjet.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] MD5 (' ')
MD5 doesn't use a salt. http://www.faqs.org/rfcs/rfc1321.html Sheridan Saint-Michel Website Administrator FoxJet, an ITW Company www.foxjet.com - Original Message - From: "Andrey Hristov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 29, 2001 10:10 AM Subject: Re: [PHP-DB] MD5 (' ') > I'm not so sure, but there is another parameter to md5() - the salt. > > Andrey Hristov > IcyGEN Corporation > http://www.icygen.com > 99% > > - Original Message - > From: "Ignat Ikryanov" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, August 29, 2001 4:45 PM > Subject: [PHP-DB] MD5 (' ') > > > Hi! > I use md5 function to encrypt users password stored in MySql database. When I try encrypt string 'asdf' using md5 function I > retrieve: > 912ec803b2ce49e4a541068d495ab570 > But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users password) 'asdf' string looks like: > $1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1 > > Why results are different? > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] MD5 (' ')
I had a similar problem. I think it has to do with the character encoding of the output hash. My only resort (very ugly!!) was to have a perl script wich calculated the hash. The perl script looks like: #!/usr/bin/perl use Digest::MD5 qw(md5_base64); print md5_base64($ARGV[0]); Maybe your problem is similar. The perl MD5 modules seems to have more encoding options than the php one. Have a look it might give you a clue as to where the problem is. Andre At 18:10 29/08/2001 +0300, Andrey Hristov wrote: >I'm not so sure, but there is another parameter to md5() - the salt. > >Andrey Hristov >IcyGEN Corporation >http://www.icygen.com >99% > >- Original Message - >From: "Ignat Ikryanov" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, August 29, 2001 4:45 PM >Subject: [PHP-DB] MD5 (' ') > > >Hi! >I use md5 function to encrypt users password stored in MySql database. >When I try encrypt string 'asdf' using md5 function I >retrieve: >912ec803b2ce49e4a541068d495ab570 >But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users >password) 'asdf' string looks like: >$1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1 > >Why results are different? > > > > >-- >PHP Database Mailing List (http://www.php.net/) >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] MD5 (' ')
I'm not so sure, but there is another parameter to md5() - the salt. Andrey Hristov IcyGEN Corporation http://www.icygen.com 99% - Original Message - From: "Ignat Ikryanov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 29, 2001 4:45 PM Subject: [PHP-DB] MD5 (' ') Hi! I use md5 function to encrypt users password stored in MySql database. When I try encrypt string 'asdf' using md5 function I retrieve: 912ec803b2ce49e4a541068d495ab570 But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users password) 'asdf' string looks like: $1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1 Why results are different? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DB] MD5 (' ')
Hi! I use md5 function to encrypt users password stored in MySql database. When I try encrypt string 'asdf' using md5 function I retrieve: 912ec803b2ce49e4a541068d495ab570 But in 'shodow' file of my linux (Debian 2.2 used MD5 to encrypt users password) 'asdf' string looks like: $1$arjq575D$rnHVFfcQE7.h2EgSU7yzQ1 Why results are different?
RE: [PHP-DB] md5
I know there is an issue about encrypting an already encrypted string, or encrypting something twice. I believe it is against the law in the US for some algorithms (like MD5). They [they] have to be able to crack your stuff. Maybe someone can confirm? How does this relate to your problem? Well maybe md5 thinks your string has already been encrypted. Mike -Original Message- From: bryan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 27, 2001 4:48 PM To: Joe Brown; db Subject: Re: [PHP-DB] md5 Yeah, i am aware of the 32 byte character string. As a matter of fact, I md5 the password on initial sign-up. Then just compare it to the regular password. As for this case, I am trying to update the password that is already md5 'd in the database. The problem is, I am creating a random string (with letters and numbers) and making it 10 characters long. I think md5 has a problem with this, for some reason Probably just me though. Thanks for the advice. bryan - Original Message - From: "Joe Brown" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 27, 2001 12:40 PM Subject: Re: [PHP-DB] md5 > You are aware that md5() generates a 32 byte character string? > > Working on the 10 digit password request, have you alotted enough space in > your database columns to cater to a 32 byte string (64 for multibyte)? > > BTW: md5 has eaten everything I've thrown at it ;-) > > ""bryan"" <[EMAIL PROTECTED]> wrote in message > 005801c0a0f1$c5c3cd40$272478cc@bryan">news:005801c0a0f1$c5c3cd40$272478cc@bryan... > I need some advice on this > I am creating a random password through a function. > > This creates a random password and updates it in the database. > The sql query works if I make it : > > $sql = "UPDATE members SET password='$password', verify='$verify' WHERE > username='$username' "; > > but if I make the code (as below) with the md5, it does not. > I must be doing something wrong, or it does not like to md5 random things > or something. Any Advice? > > for ( $a=0; $a<1; $a++) { > > $password = newpwd( 10 ); > $verify = $password; > > $dbcnx = mysql_connect('localhost', 'bryan', 'fitch'); > mysql_select_db( "playtime" ); > > $sql = "UPDATE members SET password=' ".md5($password)." ', verify=' > ".md5($verify)" ' WHERE username='$username' "; > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] md5
Yeah, i am aware of the 32 byte character string. As a matter of fact, I md5 the password on initial sign-up. Then just compare it to the regular password. As for this case, I am trying to update the password that is already md5 'd in the database. The problem is, I am creating a random string (with letters and numbers) and making it 10 characters long. I think md5 has a problem with this, for some reason Probably just me though. Thanks for the advice. bryan - Original Message - From: "Joe Brown" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 27, 2001 12:40 PM Subject: Re: [PHP-DB] md5 > You are aware that md5() generates a 32 byte character string? > > Working on the 10 digit password request, have you alotted enough space in > your database columns to cater to a 32 byte string (64 for multibyte)? > > BTW: md5 has eaten everything I've thrown at it ;-) > > ""bryan"" <[EMAIL PROTECTED]> wrote in message > 005801c0a0f1$c5c3cd40$272478cc@bryan">news:005801c0a0f1$c5c3cd40$272478cc@bryan... > I need some advice on this > I am creating a random password through a function. > > This creates a random password and updates it in the database. > The sql query works if I make it : > > $sql = "UPDATE members SET password='$password', verify='$verify' WHERE > username='$username' "; > > but if I make the code (as below) with the md5, it does not. > I must be doing something wrong, or it does not like to md5 random things > or something. Any Advice? > > for ( $a=0; $a<1; $a++) { > > $password = newpwd( 10 ); > $verify = $password; > > $dbcnx = mysql_connect('localhost', 'bryan', 'fitch'); > mysql_select_db( "playtime" ); > > $sql = "UPDATE members SET password=' ".md5($password)." ', verify=' > ".md5($verify)" ' WHERE username='$username' "; > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] md5
You are aware that md5() generates a 32 byte character string? Working on the 10 digit password request, have you alotted enough space in your database columns to cater to a 32 byte string (64 for multibyte)? BTW: md5 has eaten everything I've thrown at it ;-) ""bryan"" <[EMAIL PROTECTED]> wrote in message 005801c0a0f1$c5c3cd40$272478cc@bryan">news:005801c0a0f1$c5c3cd40$272478cc@bryan... I need some advice on this I am creating a random password through a function. This creates a random password and updates it in the database. The sql query works if I make it : $sql = "UPDATE members SET password='$password', verify='$verify' WHERE username='$username' "; but if I make the code (as below) with the md5, it does not. I must be doing something wrong, or it does not like to md5 random things or something. Any Advice? for ( $a=0; $a<1; $a++) { $password = newpwd( 10 ); $verify = $password; $dbcnx = mysql_connect('localhost', 'bryan', 'fitch'); mysql_select_db( "playtime" ); $sql = "UPDATE members SET password=' ".md5($password)." ', verify=' ".md5($verify)" ' WHERE username='$username' "; Thanks bryan Bryan Fitch Programmer Concept Factory [EMAIL PROTECTED] http://www.concept-factory.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DB] md5
I need some advice on this I am creating a random password through a function. This creates a random password and updates it in the database. The sql query works if I make it : $sql = "UPDATE members SET password='$password', verify='$verify' WHERE username='$username' "; but if I make the code (as below) with the md5, it does not. I must be doing something wrong, or it does not like to md5 random things or something. Any Advice? for ( $a=0; $a<1; $a++) { $password = newpwd( 10 ); $verify = $password; $dbcnx = mysql_connect('localhost', 'bryan', 'fitch'); mysql_select_db( "playtime" ); $sql = "UPDATE members SET password=' ".md5($password)." ', verify=' ".md5($verify)" ' WHERE username='$username' "; Thanks bryan Bryan Fitch Programmer Concept Factory [EMAIL PROTECTED] http://www.concept-factory.com