It's all dependent on the "seed" the first two characters of the hash You take a password, say "apass" and pass it through md5 Say you get : dFeRDfss3456fdddsas/...... When the user types in their password, this is what happens The string above is retrieved, and the password entered, "apass" is run through md5 WITH THE KNOWN SEED, "dF" The output of md5 will be dFeRDfss3456fdddsas/...... and it is compared to what is stored. If they match, hunky-dory, the auth is granted Upon creating an md5 hash, the seed is randomly generated, so that two users with the same password may have completely different hash strings. Gary Every Sr. UNIX Administrator Ingram Entertainment (615) 287-4876 "Pay It Forward" mailto:gary.every@ingramentertainment.com http://accessingram.com > -----Original Message----- > From: bbonkosk@tampabay.rr.com [mailto:bbonkosk@tampabay.rr.com] > Sent: Tuesday, June 24, 2003 4:47 AM > To: JeRRy; php-db@lists.php.net > Subject: Re: md5 question! > > > They would be the same, they have to be. If you can de-crypt > it, there has to > be some method of validation. So, if someone choose the same > password as you > did, and you stored those in a DB as encrypted with md5, then > they would look > identical. So, you would know the other person's password. > > > > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > > jerry > > > > and the md5 output was > > SKHDJHDJDHJDHSfdfs > > > > and another user sets their passowrd to the same as > > mine does that mean the md5 output would be identical > > to the last as the same password is entered? > > > > e.g. > > > > User 1: > > Username: Fred > > Password: jerry > > > > User 2: > > Username: notfred > > Password: jerry > > > > Or is each entry unique ? > > > > I'm thinking if each entry was unique than reversing > > the md5 action could be inconclusive. But if the > > output is the same if the same password is entered > > than sure it's reliable. But I could be barking up > > the wrong tree all together here, so correct me if I > > am wrong. I have not used md5 before so learning on > > that behalf. > > > > Jerry > > > > --- bbonkosk@tampabay.rr.com wrote: > Just use brute > > force... > > > Example: > > > md5('password') will ALWAYS produce the same output! > > > So, if I intercept a pmd5 encrypted password that > > > looks like: SKHGDOIUYFB > > > then I could just say: > > > if (strcmp (md5('password'), SKHGDOIUYFB) == 0) > > > printf("Your password is: %s\n", password); > > > > > > So, just start a loop going through all possible > > > combinations od legal password > > > character and encrypt with md5, then compare. > > > > > > Hard? Not at all, Time consuming, perhaps, but with > > > 3+ Ghz processors coming > > > out you'd be surprised how quickly one could loop > > > through billlions of possible > > > password combinations. Enter distributed > > > environments and it is much fatser. > > > The key is not to rely on passwords but to rely on > > > other system security > > > messures, use SSL, so it is hard to intercept in the > > > first place, make sure > > > your system is secure so these passwords cannot be > > > extracted from your DB > > > without you knowing about it, etc... > > > > > > > > > > > > > Marco, > > > > > > > > Thanks, that's what I originally thought that it > > > was > > > > one way. So websites that have the option to > > > retrieve > > > > password don't use md5? > > > > > > > > I guess technically there MUST be a way to break > > > the > > > > barrier where you can reverse it. If there is a > > > way > > > > to make it there is always a way to break it, > > > somehow. > > > > !!!! But what I have heard and read it's very > > > tight > > > > and probably the best method to handle passwords > > > for > > > > now, until something new is released. Which will > > > > happen when md5 is broken, like everything else > > > after > > > > a little bit of time. > > > > > > > > Jerry > > > > > > > > --- Marco Tabini <marcot@tabini.ca> wrote: > Hi > > > > Jerry-- > > > > > > > > > > No, md5 is a one-way hash. That's why it's so > > > > > safe--because if someone > > > > > steals the information he still can't tell what > > > the > > > > > passwords are. > > > > > > > > > > You may want to reset the passwords upon your > > > users' > > > > > request and send it > > > > > to them via e-mail instead. > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > Marco > > > > > > > > > > -- > > > > > php|architect -- The Magazine for PHP > > > Professionals > > > > > Come try us out at http://www.phparch.com and > > > get a > > > > > free trial issue > > > > > > > > > > > > > > > On Tue, 2003-06-24 at 08:35, JeRRy wrote: > > > > > > Hi, > > > > > > > > > > > > If I use md5 to handle passwords to my > > > database is > > > > > > there a way to reverse the action if someone > > > > > forgets > > > > > > their password? Is there a way for me to > > > decode > > > > > the > > > > > > 32bit to plain text? > > > > > > > > > > > > Jerry > > > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > > > - Check & compose your email via SMS on your > > > > > Telstra or Vodafone mobile. > > > > > -- > > > > > > > > > > Marco Tabini > > > > > President > > > > > > > > > > Marco Tabini & Associates, Inc. > > > > > 28 Bombay Avenue > > > > > Toronto, ON M3H 1B7 > > > > > Canada > > > > > > > > > > Phone: (416) 630-6202 > > > > > Fax: (416) 630-5057 > > > > > Web: http://www.tabini.ca > > > > > > > > > > > > > > > -- > > > > > PHP Database Mailing List (http://www.php.net/) > > > > > To unsubscribe, visit: > > > http://www.php.net/unsub.php > > > > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > > > - Check & compose your email via SMS on your > > > Telstra or Vodafone mobile. > > > > > > > > -- > > > > PHP Database Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: > > > http://www.php.net/unsub.php > > > > > > > > > > > > > > > > > > > > http://mobile.yahoo.com.au - Yahoo! Mobile > > - Check & compose your email via SMS on your Telstra or > Vodafone mobile. > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
