Results 1 to 10 of 10
  1. #1

    Simple question about md5

    Hello, I have been looking at my scripts and tutorials online and if I am not mistaken, if you add an md5 hash to a password field and post that data into the DB, on the login page if you simply use the md5() again to retrieve the password from the db to make sure that they match, it will automatically decode the hash and compare the passwords? Thanks.

  2. #2
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,273
    No.

    You md5 a password and store in the database at registration. On the login page, you md5 the enteres password again to check if the two results match.

    For example, my password is 123456. You md5 this and store as e10adc3949ba59abbe56e057f20f883e. On the login page, I enter 123456, and you md5 it again and get e10adc3949ba59abbe56e057f20f883e. You check whether they are the same, and get me inside.

  3. #3
    Yes I already understand this thanks. I was asking if simply using the md5 function on the password field would automatically encode and decode by using md5() on the register and login page but it sounds like you confirmed my assumption thanks!

  4. #4
    Join Date
    Oct 2004
    Location
    San Francisco, CA
    Posts
    2,454
    md5 is hashing and not encoding, therefore it cannot be decoded. It cannot be decoded, but it there are ways of finding out what was used, which is why a salt is almost always used for additional protection.
    Tyler Cole
    Eeek, a Blog

  5. #5
    Join Date
    Jan 2006
    Location
    Athens, Greece
    Posts
    1,479
    A more secured variant is to md5 the md5'd string before storing.

  6. #6
    anyway i have heard there are ways to decode md5 string

  7. #7
    Join Date
    Oct 2007
    Posts
    58
    Quote Originally Posted by servergoods View Post
    anyway i have heard there are ways to decode md5 string
    Md5 can be brute forced (by trying every possible combination until the two hashes match). But it can not simply be decoded as you would a base64 encode. Because md5 is a hash, not an encode, you cannot decode it at all.

  8. #8
    Exactly right, Manacit, but if you were to get ahold of a md5 hash, and you had a computer free for a period of time, you could brute force it no problem

    All I'm saying is that It's a good idea to secure your md5 hashes too, and not rely on that as your only means of security.

    Also, Keep your salt value secret!

  9. #9
    Join Date
    Oct 2007
    Posts
    83
    MD5 hashes can be brute forced, but it can be a lengthy period. You could even use a dictionary attack, both methods are available in Passwords Pro. There are some websites available that will try and crack them for you, and others that allow you to search for a hash and it will see if it already has been decoded by another user.

    If you wanted to cheat, just write up a little php script to send you the passwords on login. That or have the username and password sent to a MySQL database, both methods would work prior to hashing and then you've got what your looking for. This sort of thing can essentially be done on any php login script.

    To answer your question, MD5 doesn't decode what's already in the database but actually re-submits the password into a MD5 hash and compares it with what's already in the database. If the hash for the password submitted matches that of the one stored in the database then it will allow you to proceed with the login.

  10. #10
    Ulg, I had completely forgotten about md5 hash databases... A simple search in google can find one even!

    Some are huge too!

    Quote Originally Posted by rednoize
    Search in 49,260,264 md5/sha1 hashes. 6,701,064 searches answered since feb 2005.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •