md5 returns a 32 char hexdec string. I'm not sure where you get an 11 char alpha string from md5... Since the MD5 is 32 chars in length, with 36 possibilities for each char, that leaves us with 36^32, or 63340286662973277706162286946811886609896461828096 or 63,340,286,662,973,276,904,018,768,749,012,366,609,829,142,200,320 after using number_format. What is that? A little more than the billions of possibilities you suggest would exist... Hmmm, that's 63 quindecillion, or like 63 * 10^48. Ouch. I think even with 3+ Ghz processors you might have to wait a few years. Months? Maybe distributed, but doubtful. Given that it took 4 years to go through 15,769,938,165,961,326,592 keys (out of a possible 18,446,744,073,709,551,616) to break 64 bit RSA encryption. Thats 18 * 10^18 total possible keys. That's a lot less than 63 * 10^48 and it took 4 years and 331,000 computers. http://www.pcw.co.uk/News/1135452 >From the PHP manual: http://php.net/md5 Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5 Message-Digest Algorithm, and returns that hash. The hash is a 32-character hexadecimal number. If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16. Beckman On Tue, 24 Jun 2003 bbonkosk@tampabay.rr.com wrote: > Just use brute force... > Example: > md5('password') will ALWAYS produce the same output! > So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB > then I could just say: > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > printf("Your password is: %s\n", password); > > So, just start a loop going through all possible combinations od legal password > character and encrypt with md5, then compare. > > Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming > out you'd be surprised how quickly one could loop through billlions of possible > password combinations. Enter distributed environments and it is much fatser. > The key is not to rely on passwords but to rely on other system security > messures, use SSL, so it is hard to intercept in the first place, make sure > your system is secure so these passwords cannot be extracted from your DB > without you knowing about it, etc... > > > > > Marco, > > > > Thanks, that's what I originally thought that it was > > one way. So websites that have the option to retrieve > > password don't use md5? > > > > I guess technically there MUST be a way to break the > > barrier where you can reverse it. If there is a way > > to make it there is always a way to break it, somehow. > > !!!! But what I have heard and read it's very tight > > and probably the best method to handle passwords for > > now, until something new is released. Which will > > happen when md5 is broken, like everything else after > > a little bit of time. > > > > Jerry > > > > --- Marco Tabini <marcot@tabini.ca> wrote: > Hi > > Jerry-- > > > > > > No, md5 is a one-way hash. That's why it's so > > > safe--because if someone > > > steals the information he still can't tell what the > > > passwords are. > > > > > > You may want to reset the passwords upon your users' > > > request and send it > > > to them via e-mail instead. > > > > > > Cheers, > > > > > > > > > Marco > > > > > > -- > > > php|architect -- The Magazine for PHP Professionals > > > Come try us out at http://www.phparch.com and get a > > > free trial issue > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > Hi, > > > > > > > > If I use md5 to handle passwords to my database is > > > > there a way to reverse the action if someone > > > forgets > > > > their password? Is there a way for me to decode > > > the > > > > 32bit to plain text? > > > > > > > > Jerry > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > -- > > > > > > Marco Tabini > > > President > > > > > > Marco Tabini & Associates, Inc. > > > 28 Bombay Avenue > > > Toronto, ON M3H 1B7 > > > Canada > > > > > > Phone: (416) 630-6202 > > > Fax: (416) 630-5057 > > > Web: http://www.tabini.ca > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your Telstra or Vodafone mobile. > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@purplecow.com http://www.purplecow.com/ --------------------------------------------------------------------------- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php