Hi,
Aha... That's what I thought! :) So with md5 I can
retrieve the passwords back to the user if they lose
them via email. That's what I was seeking an answer
to. Thanks so much.
Jerry
--- bbonkosk@tampabay.rr.com wrote: > They would be
the same, they have to be. If you can
> de-crypt it, there has to
> be some method of validation. So, if someone choose
> the same password as you
> did, and you stored those in a DB as encrypted with
> md5, then they would look
> identical. So, you would know the other person's
> password.
>
>
>
> > Hi,
> >
> > Hmmm okay... So if the passowrd was.
> >
> > jerry
> >
> > and the md5 output was
> > SKHDJHDJDHJDHSfdfs
> >
> > and another user sets their passowrd to the same
> as
> > mine does that mean the md5 output would be
> identical
> > to the last as the same password is entered?
> >
> > e.g.
> >
> > User 1:
> > Username: Fred
> > Password: jerry
> >
> > User 2:
> > Username: notfred
> > Password: jerry
> >
> > Or is each entry unique ?
> >
> > I'm thinking if each entry was unique than
> reversing
> > the md5 action could be inconclusive. But if the
> > output is the same if the same password is entered
> > than sure it's reliable. But I could be barking
> up
> > the wrong tree all together here, so correct me if
> I
> > am wrong. I have not used md5 before so learning
> on
> > that behalf.
> >
> > Jerry
> >
> > --- bbonkosk@tampabay.rr.com wrote: > Just use
> brute
> > force...
> > > Example:
> > > md5('password') will ALWAYS produce the same
> output!
> > > So, if I intercept a pmd5 encrypted password
> that
> > > looks like: SKHGDOIUYFB
> > > then I could just say:
> > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
> > > printf("Your password is: %s\n", password);
> > >
> > > So, just start a loop going through all possible
> > > combinations od legal password
> > > character and encrypt with md5, then compare.
> > >
> > > Hard? Not at all, Time consuming, perhaps, but
> with
> > > 3+ Ghz processors coming
> > > out you'd be surprised how quickly one could
> loop
> > > through billlions of possible
> > > password combinations. Enter distributed
> > > environments and it is much fatser.
> > > The key is not to rely on passwords but to rely
> on
> > > other system security
> > > messures, use SSL, so it is hard to intercept in
> the
> > > first place, make sure
> > > your system is secure so these passwords cannot
> be
> > > extracted from your DB
> > > without you knowing about it, etc...
> > >
> > >
> > >
> > > > Marco,
> > > >
> > > > Thanks, that's what I originally thought that
> it
> > > was
> > > > one way. So websites that have the option to
> > > retrieve
> > > > password don't use md5?
> > > >
> > > > I guess technically there MUST be a way to
> break
> > > the
> > > > barrier where you can reverse it. If there is
> a
> > > way
> > > > to make it there is always a way to break it,
> > > somehow.
> > > > !!!! But what I have heard and read it's
> very
> > > tight
> > > > and probably the best method to handle
> passwords
> > > for
> > > > now, until something new is released. Which
> will
> > > > happen when md5 is broken, like everything
> else
> > > after
> > > > a little bit of time.
> > > >
> > > > Jerry
> > > >
> > > > --- Marco Tabini <marcot@tabini.ca> wrote: >
> Hi
> > > > Jerry--
> > > > >
> > > > > No, md5 is a one-way hash. That's why it's
> so
> > > > > safe--because if someone
> > > > > steals the information he still can't tell
> what
> > > the
> > > > > passwords are.
> > > > >
> > > > > You may want to reset the passwords upon
> your
> > > users'
> > > > > request and send it
> > > > > to them via e-mail instead.
> > > > >
> > > > > Cheers,
> > > > >
> > > > >
> > > > > Marco
> > > > >
> > > > > --
> > > > > php|architect -- The Magazine for PHP
> > > Professionals
> > > > > Come try us out at http://www.phparch.com
> and
> > > get a
> > > > > free trial issue
> > > > >
> > > > >
> > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote:
> > > > > > Hi,
> > > > > >
> > > > > > If I use md5 to handle passwords to my
> > > database is
> > > > > > there a way to reverse the action if
> someone
> > > > > forgets
> > > > > > their password? Is there a way for me to
> > > decode
> > > > > the
> > > > > > 32bit to plain text?
> > > > > >
> > > > > > Jerry
> > > > > >
> > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > > > - Check & compose your email via SMS on
> your
> > > > > Telstra or Vodafone mobile.
> > > > > --
> > > > >
> > > > > Marco Tabini
> > > > > President
> > > > >
> > > > > Marco Tabini & Associates, Inc.
> > > > > 28 Bombay Avenue
> > > > > Toronto, ON M3H 1B7
> > > > > Canada
> > > > >
> > > > > Phone: (416) 630-6202
> > > > > Fax: (416) 630-5057
> > > > > Web: http://www.tabini.ca
> > > > >
> > > > >
> > > > > --
> > > > > PHP Database Mailing List
> (http://www.php.net/)
> > > > > To unsubscribe, visit:
> > > http://www.php.net/unsub.php
> > > > >
> > > >
> > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > - Check & compose your email via SMS on your
> > > Telstra or Vodafone mobile.
> > > >
> > > > --
> > > > PHP Database Mailing List
> (http://www.php.net/)
> > > > To unsubscribe, visit:
> > > http://www.php.net/unsub.php
> > > >
> > >
> > >
> > >
> > >
> >
> > http://mobile.yahoo.com.au - Yahoo! Mobile
> > - Check & compose your email via SMS on your
> Telstra or Vodafone mobile.
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit:
> http://www.php.net/unsub.php
> >
>
>
>
>
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
