Results 1 to 25 of 42
-
03-07-2008, 06:14 PM #1Disabled
- Join Date
- Dec 2003
- Posts
- 1,941
I still do not understand how to decode md5
The php.net site sucks when it tries to explain md5 and I asked here but no one seemed to answer my question. I want to store a password in a cookie so I use:
Code:$blah = md5($pass); setcookie("pass", $blah);
Code:if ( $blah == ADMIN_PASS ) { echo "password works"; }
Last edited by lexington; 03-07-2008 at 06:26 PM.
-
03-07-2008, 06:26 PM #2Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,303
md5 is irreversible; you can't decode that.
To compare $blah with the value of constant ADMIN_PASS, make sure you need to md5 the constant as well.
-
03-07-2008, 06:30 PM #3Disabled
- Join Date
- Dec 2003
- Posts
- 1,941
Well I'll be darn thanks it works now. I thought I had tried that already and it didn't work but I guess my page was cached or something.
Code:$blah = md5($pass); setcookie("pass", $blah); if ( $blah == md5(ADMIN_PASS) ) { echo "password works"; }
-
03-08-2008, 10:08 AM #4Disabled
- Join Date
- Dec 2003
- Posts
- 1,941
Thanks again I totally understand how md5 works now. I have one final question. Is it ok if I use substr to chop md5 down to about 16 characters for passwords? I think that having 32 chars for every db row would waste space. I know a very little amount but if I can make things more efficent I tend to do so. I doubt the security would be highly compromised if I shorten the limit? Like:
Code:substr(md5($test), 0, 16);
-
03-08-2008, 10:41 AM #5Disabled
- Join Date
- Oct 2005
- Location
- Six Degrees From You
- Posts
- 1,079
No, MD5 checksums are always 32 characters as far as I am aware.
Cutting them down to 16 characters will invalidate the checksum.
Paul
-
03-08-2008, 10:43 AM #6Junior Guru Wannabe
- Join Date
- Dec 2003
- Location
- St. Louis MO
- Posts
- 76
I'm not absolutely positive, but I believe you should be able to do that.
UD Network Solutions
http://udns.us
-
03-08-2008, 10:43 AM #7Disabled
- Join Date
- Dec 2003
- Posts
- 1,941
Cutting them down to 16 characters will invalidate the checksum.
-
03-08-2008, 10:47 AM #8Disabled
- Join Date
- Oct 2005
- Location
- Six Degrees From You
- Posts
- 1,079
Meaning that it will not be secure or?
Paul
-
03-08-2008, 01:30 PM #9Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 65
-
03-08-2008, 01:37 PM #10Disabled
- Join Date
- Oct 2005
- Location
- Six Degrees From You
- Posts
- 1,079
Originally Posted by Wikipedia
Paul
-
03-08-2008, 01:39 PM #11Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 65
-
03-08-2008, 01:45 PM #12Disabled
- Join Date
- Oct 2005
- Location
- Six Degrees From You
- Posts
- 1,079
Why not?
Also, what is "secure", exactly?
SHA-1 sums are more secure, still vulnerable tho.
Paul
-
03-08-2008, 01:48 PM #13Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 65
I guess you've missed my point completely. Thanks for trying anyway.
-
03-08-2008, 01:49 PM #14Disabled
- Join Date
- Oct 2005
- Location
- Six Degrees From You
- Posts
- 1,079
How about trying to explain your point?
Paul
-
03-08-2008, 02:01 PM #15Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 65
I'll simply ask the question again, if you don't understand it, then please simply refrain from answering: "What is secure exactly?" - i.e. is anything secure?
-
03-08-2008, 02:06 PM #16Disabled
- Join Date
- Oct 2005
- Location
- Six Degrees From You
- Posts
- 1,079
is anything secure?
Anything can be secure, depends how much access you want people to have.
If you think that MD5 hashes are secure then you might want to detail how they are secure.
Paul
-
03-08-2008, 02:28 PM #17Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 65
I never stated they are secure. Also, given the context of the conversation, your point on a secure system is invalid - the system has to remain useful and secure.
-
03-08-2008, 05:10 PM #18Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 76
The theory - skip below if you aren't interested
[1] Collisions - When you compute an MD5 hash, what you get is a low probability of collisions - i.e. there is a low probability for a given $a of your finding $b such that
$a != $b, but md5($a) == md5($b)
[2] 32 Chars - The 32 chars are basically hexadecimal digits - sixteen 2-digit hexadecimal numbers. So when you chop them down to 16 chars, you get eight 2-digit hexadecimal numbers
[3] Since you've lost eight of the original 2-digit hexadecimal numbers, it is far easier for md5chopped(a) == md5chopped(b) - only eight hex numbers have to match rather than sixteen. So you've -vastly- increased the probability of a collision.
[4] Just for info - the probability of a collision has increased by (this is a very rough figure) 256 to the power of eight (each hex number can be 00 to FF, thats 256 possibilities, and there are eight such) - that is 2 to the power of 64. That is roughly 4 billion x 4 billion - the number of bytes on 16 billion 1 GB ram sticks.
Thats the maths/explanation. Practically speaking -
[1] Collisions can be generated theoretically / practically - there are papers/demos out on this subject. However it is very doubtful those will be used to break passwords when I last checked[they are much more useful to forge digital signatures]
[2] Rainbow tables do a much better job of breaking MD5 passwords.
[3] If you make a cormpromise now and your site / systems remain small, it will not really matter. But if you grow big, then some time in the future, this will snowball into a disaster. And then, the person who works on the code will probably go 'Who the heck is the idiot who wrote this code?'
Good luck either wayLast edited by ZeroPing; 03-08-2008 at 05:11 PM. Reason: Needed clarity
-
03-08-2008, 05:16 PM #19Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 76
It is also possible to generate collisions (see my reply above) to a given MD5 hash, under certain conditions. For example, digital signatures can be forged using this technique. Doesn't really apply to password hashes as far as I know, of course.
Also, what is "secure", exactly?
To define lack of security is simple - if MD5 is unable to provide the security features it provides (in the above case, being used to digitally sign text in such a fashion that only the owner can sign the text, and anybody can verify the signature as belonging to the owner) - then it is insecure. While you do have a point, so does the other poster.
-
03-10-2008, 10:48 AM #20Junior Guru Wannabe
- Join Date
- Feb 2007
- Posts
- 81
Also look into generating a salted hash, using sha512, for your passwords.
Code:hash('sha512', $password);
-
03-10-2008, 10:49 AM #21Disabled
- Join Date
- Dec 2003
- Posts
- 1,941
Thanks actually I already used a salt when I first created the password system. I checked it on md5 decrypt sites and they cannot break the password
-
03-10-2008, 11:34 AM #22Junior Guru
- Join Date
- Nov 2000
- Location
- Holland
- Posts
- 246
As mentioned elsewhere in this topic, md5 are 32 hexidecimal characters. So to save db space, store the md5 string as a 16-byte binary string.
(in PHP there is no hex2bin afaik, but for workarounds see the comments section of the bin2hex function).
-
03-11-2008, 04:45 AM #23Newbie
- Join Date
- Jan 2008
- Posts
- 12
I still can't decode password when I retrive it from mysql db
can anyone help
-
03-11-2008, 05:23 AM #24Retired Moderator
- Join Date
- Sep 2004
- Location
- Flint, Michigan
- Posts
- 5,766
It is impossible to "decode" an MD5 hashed password. Hashing a password with MD5 is a one way process, there's no going back. The only thing you can do is compare the hash to a hash of what a user inputs.
i.e. User signs up and uses the password: abc123
Password is stored in the database as: e99a18c428cb38d5f260853678922e03
When the user attempts to login, you take the text they submit on login, put that through MD5, and then compare it to the hash in your database to see if a proper password was entered.█ Mike from Zoodia.com
█ Professional web design and development services.
█ In need of a fresh hosting design? See what premade designs we have in stock!
█ Web design tips, tricks, and more at MichaelPruitt.com
-
03-11-2008, 10:56 AM #25Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 65
Dollar is spot on. You basically take their input, hash it using the MD5 algo and your salt and then compare that hash to the stored, hashed password in your DB.
Don't try and decode the MD5 hash