Sure, but only the first eight characters of the password are actually
used to make the hash (IIRC).
Marco
On Tue, 2003-06-24 at 10:15, Hutchins, Richard wrote:
> I already admitted that this stuff was mostly over my head. However, I
> started messing around with it a bit and would like to know if the crypt()
> function would help Jerry out?
>
> I tried md5('password') twice in a row and it did return:
> 5f4dcc3b5aa765d61d8327deb882cf99
> 5f4dcc3b5aa765d61d8327deb882cf99
>
> Then I tried crypt('password') in a 10-step loop and got this:
> 8m7UxPXfRw7/2
> v9iuCQikPaf7w
> MwV8vcCiqrRbM
> lpf02L./2VtiU
> KRkddkPGedm2.
> LDMEpQwJgY.Mo
> 2HW51zTN93I9Y
> hyONnFjRN/9bM
> W9NKVzVgJ9kLM
> nNany7wy2drdQ
>
>
> The code for all of the above if anybody is interested:
>
> <?php
> echo md5('password')."</br>";
>
> echo md5('password')."</br></br>";
>
> echo "CRYPT with password</br>";
> for($i=0;$i<10;$i++){
> echo crypt('password')."</br>";
> }
> }
> ?>
>
> PHP.NET states that there is no decrypt function since crypt() is a one-way
> encryption. And given that, by default, it uses a random salt generated by
> PHP, why is this not as secure as an MD5 encrypted password? Of course, all
> of this is based on the supposition that the database is properly secured.
>
> I am, by no means, arguing with any of the advice already offered regarding
> the MD5 question. However, If what you're looking for is a different
> encryption result for the same password, crypt() seems to do it.
>
> Can somebody explain if this is less secure or less-preferable than MD5?
> Even if one were able to decipher the algorithm PHP uses for a crypt()
> operation, the salt is supposedly random so having the encryption algorithm
> would not be all that useful.
>
> Am I totally missing something here?
>
> Rich
>
> > -----Original Message-----
> > From: Matt Schroebel [mailto:MSchroebel@hsus.org]
> > Sent: Tuesday, June 24, 2003 9:52 AM
> > To: JeRRy
> > Cc: php-db@lists.php.net
> > Subject: RE: md5 question!
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: JeRRy [mailto:jusa_98@yahoo.com]
> > > Sent: Tuesday, June 24, 2003 9:50 AM
> > > To: bbonkosk@tampabay.rr.com; php-db@lists.php.net
> > > Subject: Re: md5 question!
> > >
> >
> > > So with md5 I can
> > > retrieve the passwords back to the user if they lose
> > > them via email.
> >
> > No, you can't. You'll need to generate a new password, md5
> > it, store it
> > & mark it expired, timestamp it so it's only valid for, say,
> > 30 minutes,
> > email it, and finally, force the person to choose a new password when
> > they sign in.
> >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
--
Marco Tabini
President
Marco Tabini & Associates, Inc.
28 Bombay Avenue
Toronto, ON M3H 1B7
Canada
Phone: (416) 630-6202
Fax: (416) 630-5057
Web: http://www.tabini.ca
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
