On 21 Apr 2005 Jason Barnett wrote: > Any information that you wouldn't want in the script in plain text, you > probably don't want in the database in clear text. Moreover MD5 is a > one way hash and although it is broken, you probably don't want to spend > the processing time needed to reverse it. In the general case, no reasonable amount of processing time will reverse it since (AFAIK) you have to brute force test all possible values, though for very short text it can sometimes be done, and there are online databases out there. For the OP, this is part of what it means to use a hash or digest (MD = "message digest") as opposed to an encrypted value. The conversion from the original text to the hash is one-way and as a general rule cannot be reversed except by trying every possibility for the original text, which becomes an astronomical task with even very small text lengths. For example, for text using a-Z, A-Z, and 0-9, there are 218 trillion possible 8-character values (62 ^ 8) and 839 quadrillion possible 10-character values. Imagine MD5 (this is a very crude analogy) as taking a letter, tearing it up into tiny pieces, rearranging them according to some complex predefined algorithm, then selecting a hundred or so pieces with individual letters on them and putting those together as a code, and burning the rest. There is no way you can reproduce the letter from the code, except in the limited case where the letter is very short and your code actually incorporates all the pieces. I believe the places where MD5 can be broken by brute force are where common words or phrases are used -- then it is possible to create a database of possibilities and their MD5 hashes and the database lookup is then quite fast. For example this allows people who have the MD5 hash of a password to break short, common words used as passwords very easily. But if the MD5 value is not there, you are still stuck. For the example above (10-character values using A-Z, a-z, and 0-9) if my calculations are correct it would take about 32 million gigabytes to store those 839 quadrillion values and their matching MD5 digests in a database, not counting indexing (which adds to this) nor compression and other optimization (which could reduce it). I am not talking about general security here and saying it is OK to expose the MD5 values, just looking at the difficulty of reversing them. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
