They would be the same, they have to be. If you can de-crypt it, there has to
be some method of validation. So, if someone choose the same password as you
did, and you stored those in a DB as encrypted with md5, then they would look
identical. So, you would know the other person's password.
> Hi,
>
> Hmmm okay... So if the passowrd was.
>
> jerry
>
> and the md5 output was
> SKHDJHDJDHJDHSfdfs
>
> and another user sets their passowrd to the same as
> mine does that mean the md5 output would be identical
> to the last as the same password is entered?
>
> e.g.
>
> User 1:
> Username: Fred
> Password: jerry
>
> User 2:
> Username: notfred
> Password: jerry
>
> Or is each entry unique ?
>
> I'm thinking if each entry was unique than reversing
> the md5 action could be inconclusive. But if the
> output is the same if the same password is entered
> than sure it's reliable. But I could be barking up
> the wrong tree all together here, so correct me if I
> am wrong. I have not used md5 before so learning on
> that behalf.
>
> Jerry
>
> --- bbonkosk@tampabay.rr.com wrote: > Just use brute
> force...
> > Example:
> > md5('password') will ALWAYS produce the same output!
> > So, if I intercept a pmd5 encrypted password that
> > looks like: SKHGDOIUYFB
> > then I could just say:
> > if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
> > printf("Your password is: %s\n", password);
> >
> > So, just start a loop going through all possible
> > combinations od legal password
> > character and encrypt with md5, then compare.
> >
> > Hard? Not at all, Time consuming, perhaps, but with
> > 3+ Ghz processors coming
> > out you'd be surprised how quickly one could loop
> > through billlions of possible
> > password combinations. Enter distributed
> > environments and it is much fatser.
> > The key is not to rely on passwords but to rely on
> > other system security
> > messures, use SSL, so it is hard to intercept in the
> > first place, make sure
> > your system is secure so these passwords cannot be
> > extracted from your DB
> > without you knowing about it, etc...
> >
> >
> >
> > > Marco,
> > >
> > > Thanks, that's what I originally thought that it
> > was
> > > one way. So websites that have the option to
> > retrieve
> > > password don't use md5?
> > >
> > > I guess technically there MUST be a way to break
> > the
> > > barrier where you can reverse it. If there is a
> > way
> > > to make it there is always a way to break it,
> > somehow.
> > > !!!! But what I have heard and read it's very
> > tight
> > > and probably the best method to handle passwords
> > for
> > > now, until something new is released. Which will
> > > happen when md5 is broken, like everything else
> > after
> > > a little bit of time.
> > >
> > > Jerry
> > >
> > > --- Marco Tabini <marcot@tabini.ca> wrote: > Hi
> > > Jerry--
> > > >
> > > > No, md5 is a one-way hash. That's why it's so
> > > > safe--because if someone
> > > > steals the information he still can't tell what
> > the
> > > > passwords are.
> > > >
> > > > You may want to reset the passwords upon your
> > users'
> > > > request and send it
> > > > to them via e-mail instead.
> > > >
> > > > Cheers,
> > > >
> > > >
> > > > Marco
> > > >
> > > > --
> > > > php|architect -- The Magazine for PHP
> > Professionals
> > > > Come try us out at http://www.phparch.com and
> > get a
> > > > free trial issue
> > > >
> > > >
> > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote:
> > > > > Hi,
> > > > >
> > > > > If I use md5 to handle passwords to my
> > database is
> > > > > there a way to reverse the action if someone
> > > > forgets
> > > > > their password? Is there a way for me to
> > decode
> > > > the
> > > > > 32bit to plain text?
> > > > >
> > > > > Jerry
> > > > >
> > > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > > - Check & compose your email via SMS on your
> > > > Telstra or Vodafone mobile.
> > > > --
> > > >
> > > > Marco Tabini
> > > > President
> > > >
> > > > Marco Tabini & Associates, Inc.
> > > > 28 Bombay Avenue
> > > > Toronto, ON M3H 1B7
> > > > Canada
> > > >
> > > > Phone: (416) 630-6202
> > > > Fax: (416) 630-5057
> > > > Web: http://www.tabini.ca
> > > >
> > > >
> > > > --
> > > > PHP Database Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit:
> > http://www.php.net/unsub.php
> > > >
> > >
> > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > - Check & compose your email via SMS on your
> > Telstra or Vodafone mobile.
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit:
> > http://www.php.net/unsub.php
> > >
> >
> >
> >
> >
>
> http://mobile.yahoo.com.au - Yahoo! Mobile
> - Check & compose your email via SMS on your Telstra or Vodafone mobile.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
