FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


md5() Password Protection





moejoe
Hi,

I think its best to md5() my PHP Mysql database, so if anyone hacks thru i can protect my users.
However, if i wanted to make a forgot password script, how would i go around accomplishing this?

Can you reverse md5()?

Thanks.
sonam
Quote:
Can you reverse md5()?


I think it is not at possible to reverse md5. Maybe is better to use some other hash algorithm.

Sonam
hexkid
moejoe wrote:
... if i wanted to make a forgot password script, how would i go around accomplishing this?
You generate a brand new password (save its hash to the database) and use it.
Code:
<?php
// validate user credentials
$newpass = '';
for ($i=0; $i<7; ++$i) {
  $newpass .= chr(rand(97, 122));
}
$newpass_hash = md5($newpass);
// save $newpass_hash to the database
// mail the user his/her new password ($newpass)
?>


moejoe wrote:
Can you reverse md5()?
No, but see these links:
http://md5.rednoize.com/
http://www.schwett.com/md5/
http://us.md5.crysm.net/
manum
i think it is called hash because it can't be reversed

but dude u can always generate a new password or rehash the already hashed password that is stored in ur database and save it as the new password and then email it to ur user

what say??
Maxus
You can't reverse MD5 hasing,
you'll better create a new password.
But you perform md5 and sha1 hashing for better security.
Aredon
It should be noted that if two users have the same password that their password hashes will match exactly regardless which hash algorithm you use and when they match, it is obvious that they have the same password. To prevent this you might want to use a salt. A salt is basically a random generated string that you append to the user's password before running it through the hash algorithm. Then you store both the salt and the resulting hash from the algorithm in the database.

If PHP can reverse-engine the hash algorithm used, then it isn't a secure hash algorithm, now is it? It should also be noted that any secure hash algorithm that returns a string with a fixed-number of characters will have more than one possible password. With a virtually unlimited number of characters as input and only 32 or so characters as output, there are a zillion-fold more input combinations than output combinations *cough* endless possibilities that can generated each hash yet surely a ridiculous combination of binary characters and or some really-really long and unpredictable strings. Even with this being the case, there is an extremely rare possibility that two or more reasonably short strings will generate the same password hash and you'd not know which is the password they signed up with yet both will work. On top of all of this, the computers that have reported collusions in the secure hash algorithms must have been running for who-knows how long and the amount of time it would take to reverse-engine a password would surely take more than a few seconds -- the patience of your user waiting for a server response.
Maxus
Aredon wrote:
It should be noted that if two users have the same password that their password hashes will match exactly regardless which hash algorithm you use and when they match, it is obvious that they have the same password.

not right, you can have different string with the same md5 hash
and that's normal because the hash has a lengt of 32 charachers for every string....
Aredon
Ahh... but in such a case, their passwords would be interchangable and either password would be the same to the database hence "the same password". The secure hash algorithm could care less what you input, it just generates hashes and if the hash generated by the inputed string matches the hash in the database then the password is accepted. The point is to recognize the vulnerability.
Afaceinthematrix
You can't reverse it, but like everyone else said, you can have it reset the password and email it to the user. but be careful, because if someone doesn't have the original email they signed up with anymore and they accidently use that, or someone else does it for them, then their account password will still be changed and lost forever... So the way I do it is I send two emails... they type their email in the box and it sends them a link, and once they click the link it sends them another email with the password, so they basically have to confirm that email to make sure it's valid. I'll post the script that I use to do this... the only thing is you may want to update it because it's sloppy coding... I wrote it about two years ago when i first started using PHP so it's beginners coding...

Code:

<?php
include("public_header.php");

if ($_GET['action']=="process"){
   $check = mysql_query("SELECT `email` FROM `user` WHERE `email`='$_POST[email]' LIMIT 1");
   if (mysql_num_rows($check)=="0"){
   echo "Please insert the email that you signed up with.";
   }else{
   $row = mysql_fetch_array($check);
   $em = $row["email"];
   // make sure it isn't already in the db, if it is get rid of it and start over
   $delete_old = mysql_query("DELETE FROM `forgotpassword` WHERE `email`='$em'");
   srand((double)microtime()*1000000); 
   $rand = rand(1000000, 9999999);
   $insert = mysql_query("INSERT INTO forgotpassword (num, email) VALUES ('$rand', '$em');");
   $subject = "Forgot Password";
   $message = "In order to receive your new password, please go to this link:

$url/forgotpass.php?action=final&link=$rand";
   $headers = "From: $contact";
   mail($em, $subject, $message, $headers);
   echo "Please check your email and follow the instructions from there.";
   }

}else if ($_GET['action']=="final"){
   $codepass = $_GET["link"];
   $checkpass = mysql_query("SELECT `num`, `email` FROM `forgotpassword` WHERE `num`='$codepass' LIMIT 1");
    if (mysql_num_rows($checkpass)=="0"){
    echo "What are you doing?";
   }else{
   $row = mysql_fetch_array($checkpass);
   $the_email = $row["email"];
   $randpass = rand(100000000000, 999999999999);
   $pass_new = "$randpass";
   $new_pass = md5($pass_new);
   $update = mysql_query("UPDATE `user` SET `passwd`='$new_pass' WHERE `email`='$the_email' LIMIT 1");
   $subject = "New Password";
   $message = "Your new password is: $pass_new Please change your password once you log in. $url";
   $headers = "From: $contact";
   mail($the_email, $subject, $message, $headers);
   $delete = mysql_query("DELETE FROM `forgotpassword` WHERE `email`='$the_email'");
   echo "Your new password has been emailed to you.";
   }
 
}else{
   echo "Did you forget your password? Well you can have a new password emailed to you by filling in your email address in the form below.<br><br><center><form action=\"?action=process\" method=post><input type=\"text\" name=\"email\"> <input type=\"submit\" name=\"submit\" value=\"Send Password\"></form></center>";
}
include("public_footer.php");
?>
AOP Web Development
if you are planning to have a lost password script just what other said...
much better if you will ask the user to input their email and you will send them a randomize password for temporary access but of course you have to delete their old password in order for them to get in again, so that they can change it after they log in....
fadirocks
AOP Web Development wrote:
if you are planning to have a lost password script just what other said...
much better if you will ask the user to input their email and you will send them a randomize password for temporary access but of course you have to delete their old password in order for them to get in again, so that they can change it after they log in....


totally agree Very Happy

You never decrypt password you just create a new one over-riding the old one Smile
[FuN]goku
manum wrote:
i think it is called hash because it can't be reversed

Actually thats not true... There is a way to do it but im not saying as it is on the subject of hacking and i dont want to get in trouble ^^ but yeah make new password.. or w/e everyone else says.
rohan2kool
[FuN]goku wrote:
manum wrote:
i think it is called hash because it can't be reversed

Actually thats not true... There is a way to do it but im not saying as it is on the subject of hacking and i dont want to get in trouble ^^ but yeah make new password.. or w/e everyone else says.


Nope there is not. The reason is very simple. I give you 2 numbers, let's say 8 and 7 and ask you the sum. You'll say 15. Now, i give u the number 15, and ask you to resolve it. You can obviously resolve it, but there are so many possibilities... you can say 8 + 7, 17 + (-2), 1 + 14, 13 + 2 and so on... and you'll be right at all times.

How you come up with such solutions is by using brute force. You take a number and add up it's difference from 15 and tell it as a pair. Same thing with hash-reversing [note: it's called hash-reversing and not encrypting. encrypting is sure shot.. if u know the passphrase i.e].

An md5 hash is made up of 32-digit hexadecimal number. That means, there is a total possibility of 16 ^ 32 md5 hashes.. whereas the total possible number of strings are inifinite. Thereby although a given string has a unique md5 hash... it is not so vice-versa. It is a many-to-one kind of function.
MrBlueSky
You can use rainbow tables.
AOP Web Development
moejoe wrote:
Hi,

I think its best to md5() my PHP Mysql database, so if anyone hacks thru i can protect my users.
However, if i wanted to make a forgot password script, how would i go around accomplishing this?

Can you reverse md5()?

Thanks.


hello dude... as what i post last time that md5 is a 5 level cryptography. i don't know how may algorithms they made but if you are are planning to do that y not use base64_encode() and decrypt it with base64_decode() but try t o create some simple functions that can encrypt and decrypt. that's how you can do that!>. i hope it helps.. heheehehehe Laughing
Maxus
MrBlueSky wrote:
You can use rainbow tables.

You'll first need access to the md5 hashes
MrBlueSky
Maxus wrote:
You'll first need access to the md5 hashes


Off course. Decrypting a message you don't have isn't exactly the point here, isn't it? Razz
[FuN]goku
MrBlueSky wrote:
Maxus wrote:
You'll first need access to the md5 hashes


Off course. Decrypting a message you don't have isn't exactly the point here, isn't it? Razz
guys its not smart to talk about hacking md5 @ frihost as it violates the tos.
Related topics
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.