On Tue, 2003-06-24 at 09:45, JeRRy wrote: > If true, if more than 1 user had an identical password > to another the md5 output would be unique for each > user. So a different md5 output even though the same > password. Because if: > > <snip> > it's mathematically impossible to retrieve > > the original > > password starting from the hash... which is a Good > > Thing(tm) :-) > </snip> > > ... is true than a different md5 output must be > outputed for each password even if it's the same as > another. Because if it was "the same" md5 output it > would than be possible to reverse the md5 back to > plain text? Well I woudl think so, because it's the > same. No, these are two unrelated concepts, in fact they contradict each other. If two passwords *can* have the same hash (which is well possible), then you can't tell the password from the hash. > I just recieved an email to my inbox saying there is a > way to reverse it. So I really have no idea what to > think, instead I'm going to give the examples I have > recieved a go and see what happens. Well, I haven't heard of md5 being broken, although it's been claimed that it is breakable. I'd love to see the references they have sent you! Cheers, Marco > > Thanks everyone for your help/feedback/ideas and code > on this subject, it's been overwhelming. Very much > appreciated. > > Jerry > > > --- Marco Tabini <marcot@tabini.ca> wrote: > On Tue, > 2003-06-24 at 09:08, JeRRy wrote: > > > I guess technically there MUST be a way to break > > the > > > barrier where you can reverse it. If there is a > > way > > > to make it there is always a way to break it, > > somehow. > > > !!!! But what I have heard and read it's very > > tight > > > and probably the best method to handle passwords > > for > > > now, until something new is released. Which will > > > happen when md5 is broken, like everything else > > after > > > a little bit of time. > > > > Well, that's not necessarily true. Take something as > > simple as an > > integer division. Say that in order calculate your > > hash you divide any > > number by 3 and discard the remainder. The result > > '4' could mean that > > your original number could be anywhere between 12 > > and 14, for example, > > so that even if you know that method that was used > > to calculate the hash > > you couldn't determine the original password from > > it. md5 works on a > > similar basis, although a bit (but not that much) > > more complicated. So > > you see, it's mathematically impossible to retrieve > > the original > > password starting from the hash... which is a Good > > Thing(tm) :-) > > > > > > Marco > > > > -- > > php|architect -- The Magazine for PHP Professionals > > Come try us out at http://www.phparch.com and get a > > free trial issue > > > > > > > > > > > Jerry > > > > > > --- Marco Tabini <marcot@tabini.ca> wrote: > Hi > > > Jerry-- > > > > > > > > No, md5 is a one-way hash. That's why it's so > > > > safe--because if someone > > > > steals the information he still can't tell what > > the > > > > passwords are. > > > > > > > > You may want to reset the passwords upon your > > users' > > > > request and send it > > > > to them via e-mail instead. > > > > > > > > Cheers, > > > > > > > > > > > > Marco > > > > > > > > -- > > > > php|architect -- The Magazine for PHP > > Professionals > > > > Come try us out at http://www.phparch.com and > > get a > > > > free trial issue > > > > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > > Hi, > > > > > > > > > > If I use md5 to handle passwords to my > > database is > > > > > there a way to reverse the action if someone > > > > forgets > > > > > their password? Is there a way for me to > > decode > > > > the > > > > > 32bit to plain text? > > > > > > > > > > Jerry > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > > - Check & compose your email via SMS on your > > > > Telstra or Vodafone mobile. > > > > -- > > > > > > > > Marco Tabini > > > > President > > > > > > > > Marco Tabini & Associates, Inc. > > > > 28 Bombay Avenue > > > > Toronto, ON M3H 1B7 > > > > Canada > > > > > > > > Phone: (416) 630-6202 > > > > Fax: (416) 630-5057 > > > > Web: http://www.tabini.ca > > > > > > > > > > > > -- > > > > PHP Database Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > - Check & compose your email via SMS on your > > Telstra or Vodafone mobile. > > -- > > > > Marco Tabini > > President > > > > Marco Tabini & Associates, Inc. > > 28 Bombay Avenue > > Toronto, ON M3H 1B7 > > Canada > > > > Phone: (416) 630-6202 > > Fax: (416) 630-5057 > > Web: http://www.tabini.ca > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini & Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
