RE: md5 question!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I already admitted that this stuff was mostly over my head. However, I
started messing around with it a bit and would like to know if the crypt()
function would help Jerry out?

I tried md5('password') twice in a row and it did return:
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99

Then I tried crypt('password') in a 10-step loop and got this:
8m7UxPXfRw7/2
v9iuCQikPaf7w
MwV8vcCiqrRbM
lpf02L./2VtiU
KRkddkPGedm2.
LDMEpQwJgY.Mo
2HW51zTN93I9Y
hyONnFjRN/9bM
W9NKVzVgJ9kLM
nNany7wy2drdQ


The code for all of the above if anybody is interested:

<?php
echo md5('password')."</br>";

echo md5('password')."</br></br>";

echo "CRYPT with password</br>";
for($i=0;$i<10;$i++){
echo crypt('password')."</br>";
}
}
?>

PHP.NET states that there is no decrypt function since crypt() is a one-way
encryption. And given that, by default, it uses a random salt generated by
PHP, why is this not as secure as an MD5 encrypted password? Of course, all
of this is based on the supposition that the database is properly secured.

I am, by no means, arguing with any of the advice already offered regarding
the MD5 question. However, If what you're looking for is a different
encryption result for the same password, crypt() seems to do it.

Can somebody explain if this is less secure or less-preferable than MD5?
Even if one were able to decipher the algorithm PHP uses for a crypt()
operation, the salt is supposedly random so having the encryption algorithm
would not be all that useful. 

Am I totally missing something here?

Rich

> -----Original Message-----
> From: Matt Schroebel [mailto:MSchroebel@hsus.org]
> Sent: Tuesday, June 24, 2003 9:52 AM
> To: JeRRy
> Cc: php-db@lists.php.net
> Subject: RE:  md5 question!
> 
> 
>  
> 
> > -----Original Message-----
> > From: JeRRy [mailto:jusa_98@yahoo.com] 
> > Sent: Tuesday, June 24, 2003 9:50 AM
> > To: bbonkosk@tampabay.rr.com; php-db@lists.php.net
> > Subject: Re:  md5 question!
> > 
> 
> > So with md5 I can
> > retrieve the passwords back to the user if they lose
> > them via email. 
> 
> No, you can't.  You'll need to generate a new password, md5 
> it, store it
> & mark it expired, timestamp it so it's only valid for, say, 
> 30 minutes,
> email it, and finally, force the person to choose a new password when
> they sign in. 
>  
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux