RE: md5 question!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



md5() will always return the same for the same string, how else can you
verify that the user entered their password?

everytime they log in, you have to encrypt what they typed in
$pword=md5($pword);

select * from users where uname='$uname' and pword='$pword'

and see if it matches the password they registered with, if md5() gave you
different output, then you could never verify thier password.


Eddie

-----Original Message-----
From: JeRRy [mailto:jusa_98@yahoo.com]
Sent: Tuesday, June 24, 2003 9:45 AM
To: Marco Tabini
Cc: php-db@lists.php.net
Subject: Re:  md5 question!


Marco,

Okay I just replied to another post asking if md5
outputs a different output if the same password was
entered by more than 1 user.

I think the answer to that is explained by you below.
If true, if more than 1 user had an identical password
to another the md5 output would be unique for each
user.  So a different md5 output even though the same
password.  Because if:

<snip>
it's mathematically impossible to retrieve
> the original
> password starting from the hash... which is a Good
> Thing(tm) :-)
</snip>

... is true than a different md5 output must be
outputed for each password even if it's the same as
another.  Because if it was "the same" md5 output it
would than be possible to reverse the md5 back to
plain text?  Well I woudl think so, because it's the
same.

I just recieved an email to my inbox saying there is a
way to reverse it.  So I really have no idea what to
think, instead I'm going to give the examples I have
recieved a go and see what happens.

Thanks everyone for your help/feedback/ideas and code
on this subject, it's been overwhelming.  Very much
appreciated.

Jerry


 --- Marco Tabini <marcot@tabini.ca> wrote: > On Tue,
2003-06-24 at 09:08, JeRRy wrote:
> > I guess technically there MUST be a way to break
> the
> > barrier where you can reverse it.  If there is a
> way
> > to make it there is always a way to break it,
> somehow.
> >  !!!!  But what I have heard and read it's very
> tight
> > and probably the best method to handle passwords
> for
> > now, until something new is released.  Which will
> > happen when md5 is broken, like everything else
> after
> > a little bit of time.
>
> Well, that's not necessarily true. Take something as
> simple as an
> integer division. Say that in order calculate your
> hash you divide any
> number by 3 and discard the remainder. The result
> '4' could mean that
> your original number could be anywhere between 12
> and 14, for example,
> so that even if you know that method that was used
> to calculate the hash
> you couldn't determine the original password from
> it. md5 works on a
> similar basis, although a bit (but not that much)
> more complicated. So
> you see, it's mathematically impossible to retrieve
> the original
> password starting from the hash... which is a Good
> Thing(tm) :-)
>
>
> Marco
>
> --
> php|architect -- The Magazine for PHP Professionals
> Come try us out at http://www.phparch.com and get a
> free trial issue
>
> >
> >
> > Jerry
> >
> >  --- Marco Tabini <marcot@tabini.ca> wrote: > Hi
> > Jerry--
> > >
> > > No, md5 is a one-way hash. That's why it's so
> > > safe--because if someone
> > > steals the information he still can't tell what
> the
> > > passwords are.
> > >
> > > You may want to reset the passwords upon your
> users'
> > > request and send it
> > > to them via e-mail instead.
> > >
> > > Cheers,
> > >
> > >
> > > Marco
> > >
> > > --
> > > php|architect -- The Magazine for PHP
> Professionals
> > > Come try us out at http://www.phparch.com and
> get a
> > > free trial issue
> > >
> > >
> > > On Tue, 2003-06-24 at 08:35, JeRRy wrote:
> > > > Hi,
> > > >
> > > > If I use md5 to handle passwords to my
> database is
> > > > there a way to reverse the action if someone
> > > forgets
> > > > their password?  Is there a way for me to
> decode
> > > the
> > > > 32bit to plain text?
> > > >
> > > > Jerry
> > > >
> > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > - Check & compose your email via SMS on your
> > > Telstra or Vodafone mobile.
> > > --
> > >
> > > Marco Tabini
> > > President
> > >
> > > Marco Tabini & Associates, Inc.
> > > 28 Bombay Avenue
> > > Toronto, ON M3H 1B7
> > > Canada
> > >
> > > Phone: (416) 630-6202
> > > Fax: (416) 630-5057
> > > Web: http://www.tabini.ca
> > >
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit:
> http://www.php.net/unsub.php
> > >
> >
> > http://mobile.yahoo.com.au - Yahoo! Mobile
> > - Check & compose your email via SMS on your
> Telstra or Vodafone mobile.
> --
>
> Marco Tabini
> President
>
> Marco Tabini & Associates, Inc.
> 28 Bombay Avenue
> Toronto, ON M3H 1B7
> Canada
>
> Phone: (416) 630-6202
> Fax: (416) 630-5057
> Web: http://www.tabini.ca
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux