Re: md5 question!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



YOU CAN NOT RECOVER THE ORIGINAL TEXT FROM AN MD5 HASH (unless you have a
couple hundred years and nothing to do and want to try all 63*10^48
possibilities).

You can look to see if jerry and bob have the same MD5 hash as their
password, but unless your store their password in plaintext as well as an
md5 hash and you only store the md5 hash, you CANNOT send an email with the
original password.  MD5 is one-way encryption.

On Tue, 24 Jun 2003, [iso-8859-1] JeRRy wrote:

> Hi,
>
> Aha... That's what I thought! :)  So with md5 I can
> retrieve the passwords back to the user if they lose
> them via email.  That's what I was seeking an answer
> to.  Thanks so much.
>
> Jerry
>
>  --- bbonkosk@tampabay.rr.com wrote: > They would be
> the same, they have to be.  If you can
> > de-crypt it, there has to
> > be some method of validation.  So, if someone choose
> > the same password as you
> > did, and you stored those in a DB as encrypted with
> > md5, then they would look
> > identical.  So, you would know the other person's
> > password.
> >
> >
> >
> > > Hi,
> > >
> > > Hmmm okay... So if the passowrd was.
> > >
> > > jerry
> > >
> > > and the md5 output was
> > > SKHDJHDJDHJDHSfdfs
> > >
> > > and another user sets their passowrd to the same
> > as
> > > mine does that mean the md5 output would be
> > identical
> > > to the last as the same password is entered?
> > >
> > > e.g.
> > >
> > > User 1:
> > > Username: Fred
> > > Password: jerry
> > >
> > > User 2:
> > > Username: notfred
> > > Password: jerry
> > >
> > > Or is each entry unique ?
> > >
> > > I'm thinking if each entry was unique than
> > reversing
> > > the md5 action could be inconclusive.  But if the
> > > output is the same if the same password is entered
> > > than sure it's reliable.  But I could be barking
> > up
> > > the wrong tree all together here, so correct me if
> > I
> > > am wrong.  I have not used md5 before so learning
> > on
> > > that behalf.
> > >
> > > Jerry
> > >
> > >  --- bbonkosk@tampabay.rr.com wrote: > Just use
> > brute
> > > force...
> > > > Example:
> > > > md5('password') will ALWAYS produce the same
> > output!
> > > > So, if I intercept a pmd5 encrypted password
> > that
> > > > looks like: SKHGDOIUYFB
> > > > then I could just say:
> > > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0)
> > > >   printf("Your password is: %s\n", password);
> > > >
> > > > So, just start a loop going through all possible
> > > > combinations od legal password
> > > > character and encrypt with md5, then compare.
> > > >
> > > > Hard?  Not at all, Time consuming, perhaps, but
> > with
> > > > 3+ Ghz processors coming
> > > > out you'd be surprised how quickly one could
> > loop
> > > > through billlions of possible
> > > > password combinations.  Enter distributed
> > > > environments and it is much fatser.
> > > > The key is not to rely on passwords but to rely
> > on
> > > > other system security
> > > > messures, use SSL, so it is hard to intercept in
> > the
> > > > first place, make sure
> > > > your system is secure so these passwords cannot
> > be
> > > > extracted from your DB
> > > > without you knowing about it, etc...
> > > >
> > > >
> > > >
> > > > > Marco,
> > > > >
> > > > > Thanks, that's what I originally thought that
> > it
> > > > was
> > > > > one way.  So websites that have the option to
> > > > retrieve
> > > > > password don't use md5?
> > > > >
> > > > > I guess technically there MUST be a way to
> > break
> > > > the
> > > > > barrier where you can reverse it.  If there is
> > a
> > > > way
> > > > > to make it there is always a way to break it,
> > > > somehow.
> > > > >  !!!!  But what I have heard and read it's
> > very
> > > > tight
> > > > > and probably the best method to handle
> > passwords
> > > > for
> > > > > now, until something new is released.  Which
> > will
> > > > > happen when md5 is broken, like everything
> > else
> > > > after
> > > > > a little bit of time.
> > > > >
> > > > > Jerry
> > > > >
> > > > >  --- Marco Tabini <marcot@tabini.ca> wrote: >
> > Hi
> > > > > Jerry--
> > > > > >
> > > > > > No, md5 is a one-way hash. That's why it's
> > so
> > > > > > safe--because if someone
> > > > > > steals the information he still can't tell
> > what
> > > > the
> > > > > > passwords are.
> > > > > >
> > > > > > You may want to reset the passwords upon
> > your
> > > > users'
> > > > > > request and send it
> > > > > > to them via e-mail instead.
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > >
> > > > > > Marco
> > > > > >
> > > > > > --
> > > > > > php|architect -- The Magazine for PHP
> > > > Professionals
> > > > > > Come try us out at http://www.phparch.com
> > and
> > > > get a
> > > > > > free trial issue
> > > > > >
> > > > > >
> > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > If I use md5 to handle passwords to my
> > > > database is
> > > > > > > there a way to reverse the action if
> > someone
> > > > > > forgets
> > > > > > > their password?  Is there a way for me to
> > > > decode
> > > > > > the
> > > > > > > 32bit to plain text?
> > > > > > >
> > > > > > > Jerry
> > > > > > >
> > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > > > > - Check & compose your email via SMS on
> > your
> > > > > > Telstra or Vodafone mobile.
> > > > > > --
> > > > > >
> > > > > > Marco Tabini
> > > > > > President
> > > > > >
> > > > > > Marco Tabini & Associates, Inc.
> > > > > > 28 Bombay Avenue
> > > > > > Toronto, ON M3H 1B7
> > > > > > Canada
> > > > > >
> > > > > > Phone: (416) 630-6202
> > > > > > Fax: (416) 630-5057
> > > > > > Web: http://www.tabini.ca
> > > > > >
> > > > > >
> > > > > > --
> > > > > > PHP Database Mailing List
> > (http://www.php.net/)
> > > > > > To unsubscribe, visit:
> > > > http://www.php.net/unsub.php
> > > > > >
> > > > >
> > > > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > > > - Check & compose your email via SMS on your
> > > > Telstra or Vodafone mobile.
> > > > >
> > > > > --
> > > > > PHP Database Mailing List
> > (http://www.php.net/)
> > > > > To unsubscribe, visit:
> > > > http://www.php.net/unsub.php
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > http://mobile.yahoo.com.au - Yahoo! Mobile
> > > - Check & compose your email via SMS on your
> > Telstra or Vodafone mobile.
> > >
> > > --
> > > PHP Database Mailing List (http://www.php.net/)
> > > To unsubscribe, visit:
> > http://www.php.net/unsub.php
> > >
> >
> >
> >
> >
>
> http://mobile.yahoo.com.au - Yahoo! Mobile
> - Check & compose your email via SMS on your Telstra or Vodafone mobile.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman@purplecow.com                             http://www.purplecow.com/
---------------------------------------------------------------------------

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux