Re: md5 question!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



They would be the same, they have to be.  If you can de-crypt it, there has to 
be some method of validation.  So, if someone choose the same password as you 
did, and you stored those in a DB as encrypted with md5, then they would look 
identical.  So, you would know the other person's password.



> Hi,
> 
> Hmmm okay... So if the passowrd was.
> 
> jerry
> 
> and the md5 output was
> SKHDJHDJDHJDHSfdfs
> 
> and another user sets their passowrd to the same as
> mine does that mean the md5 output would be identical
> to the last as the same password is entered?
> 
> e.g.
> 
> User 1:
> Username: Fred
> Password: jerry
> 
> User 2:
> Username: notfred
> Password: jerry
> 
> Or is each entry unique ?
> 
> I'm thinking if each entry was unique than reversing
> the md5 action could be inconclusive.  But if the
> output is the same if the same password is entered
> than sure it's reliable.  But I could be barking up
> the wrong tree all together here, so correct me if I
> am wrong.  I have not used md5 before so learning on
> that behalf.
> 
> Jerry
> 
>  --- bbonkosk@tampabay.rr.com wrote: > Just use brute
> force...
> > Example:
> > md5('password') will ALWAYS produce the same output!
> > So, if I intercept a pmd5 encrypted password that
> > looks like: SKHGDOIUYFB
> > then I could just say:
> > if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
> >   printf("Your password is: %s\n", password);
> > 
> > So, just start a loop going through all possible
> > combinations od legal password 
> > character and encrypt with md5, then compare.  
> > 
> > Hard?  Not at all, Time consuming, perhaps, but with
> > 3+ Ghz processors coming 
> > out you'd be surprised how quickly one could loop
> > through billlions of possible 
> > password combinations.  Enter distributed
> > environments and it is much fatser.  
> > The key is not to rely on passwords but to rely on
> > other system security 
> > messures, use SSL, so it is hard to intercept in the
> > first place, make sure 
> > your system is secure so these passwords cannot be
> > extracted from your DB 
> > without you knowing about it, etc...
> > 
> > 
> > 
> > > Marco,
> > > 
> > > Thanks, that's what I originally thought that it
> > was
> > > one way.  So websites that have the option to
> > retrieve
> > > password don't use md5?
> > > 
> > > I guess technically there MUST be a way to break
> > the
> > > barrier where you can reverse it.  If there is a
> > way
> > > to make it there is always a way to break it,
> > somehow.
> > >  !!!!  But what I have heard and read it's very
> > tight
> > > and probably the best method to handle passwords
> > for
> > > now, until something new is released.  Which will
> > > happen when md5 is broken, like everything else
> > after
> > > a little bit of time.
> > > 
> > > Jerry
> > > 
> > >  --- Marco Tabini <marcot@tabini.ca> wrote: > Hi
> > > Jerry--
> > > > 
> > > > No, md5 is a one-way hash. That's why it's so
> > > > safe--because if someone
> > > > steals the information he still can't tell what
> > the
> > > > passwords are.
> > > > 
> > > > You may want to reset the passwords upon your
> > users'
> > > > request and send it
> > > > to them via e-mail instead.
> > > > 
> > > > Cheers,
> > > > 
> > > > 
> > > > Marco
> > > > 
> > > > --
> > > > php|architect -- The Magazine for PHP
> > Professionals
> > > > Come try us out at http://www.phparch.com and
> > get a
> > > > free trial issue
> > > > 
> > > > 
> > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote:
> > > > > Hi,
> > > > > 
> > > > > If I use md5 to handle passwords to my
> > database is
> > > > > there a way to reverse the action if someone
> > > > forgets
> > > > > their password?  Is there a way for me to
> > decode
> > > > the
> > > > > 32bit to plain text?
> > > > > 
> > > > > Jerry
> > > > > 
> > > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > > - Check & compose your email via SMS on your
> > > > Telstra or Vodafone mobile.
> > > > -- 
> > > > 
> > > > Marco Tabini
> > > > President
> > > > 
> > > > Marco Tabini & Associates, Inc.
> > > > 28 Bombay Avenue
> > > > Toronto, ON M3H 1B7
> > > > Canada
> > > > 
> > > > Phone: (416) 630-6202
> > > > Fax: (416) 630-5057
> > > > Web: http://www.tabini.ca
> > > > 
> > > > 
> > > > -- 
> > > > PHP Database Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit:
> > http://www.php.net/unsub.php
> > > >  
> > > 
> > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > - Check & compose your email via SMS on your
> > Telstra or Vodafone mobile.
> > > 
> > > -- 
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit:
> > http://www.php.net/unsub.php
> > > 
> > 
> > 
> > 
> >  
> 
> http://mobile.yahoo.com.au - Yahoo! Mobile
> - Check & compose your email via SMS on your Telstra or Vodafone mobile.
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 





-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux