I was wondering if there was a way that you can get md5 to reverse its coding and give you the original password? The reason I want this is because when I have users sign up, they enter the password they want and my code converts it using md5. However, im making an update section and I would like the input value to have the original password. Is this possible?
0
Getting original password after being converted using md5
Started by Korndawg, Sep 23 2006 01:42 AM
23 replies to this topic
#1
-
- Members
-
- 111 posts
Young Padawan
- Gender:Male
- Location:Texas, USA
Posted 23 September 2006 - 01:42 AM
#2
-
- P2L Staff
-
- 1,945 posts
Moderator
- Gender:Not Telling
Posted 23 September 2006 - 02:17 AM
no u cannot undo MD5. Displaying the value itself there is a security risk in its own. If you are having a profile update section, have 2 different bits, the main update and a change password function.
You get them to insert their original password, and 2 copies of the new one, and md5 their original one and check it against the value stored in the database. And I am sure you can work the rest out for yourself.
Matt
You get them to insert their original password, and 2 copies of the new one, and md5 their original one and check it against the value stored in the database. And I am sure you can work the rest out for yourself.
Matt
#3
-
- Members
-
- 111 posts
Young Padawan
- Gender:Male
- Location:Texas, USA
Posted 23 September 2006 - 03:16 AM
Ok Matt, thanks for the information!
#4
-
- Members
-
- 1,971 posts
I Feel Left Out
- Gender:Male
- Location:10 ft. below sea level
Posted 23 September 2006 - 11:39 AM
why encode it anyway?
#5
-
- Members
-
- 2,749 posts
Official Spammer .Matt
- Gender:Male
- Location:England
Posted 23 September 2006 - 11:42 AM
Avalanche, you mean why encrypt a password? That's pretty self explanatory ....
#6
-
- Members
-
- 1,971 posts
I Feel Left Out
- Gender:Male
- Location:10 ft. below sea level
Posted 23 September 2006 - 01:45 PM
yea, i ment encrypt, but still, i always do it, but i dont really see the point, once its in the database who can touch it?
#7
-
- P2L Staff
-
- 1,945 posts
Moderator
- Gender:Not Telling
Posted 23 September 2006 - 01:50 PM
well if you have a poor system in place, someone injects your database and sends all the user account details to themself, you have everyones password in plain text.
Does that answer you?
Matt
Does that answer you?
Matt
#8
-
- Members
-
- 1,971 posts
I Feel Left Out
- Gender:Male
- Location:10 ft. below sea level
Posted 23 September 2006 - 04:30 PM
yes, but assuming you DO have your databse protected right, whats the point?
#9
-
- Members
-
- 129 posts
Young Padawan
- Gender:Male
Posted 23 September 2006 - 04:36 PM
lol all you have to do to really protect your database is, say you have something like a register page, and you wanna protect it from SQL Injection. You would just set your variable something like
$username = $_POST['username'];
and to protect it you would just
$username = htmlspecialchars($_POST['username']); or something like that
$username = $_POST['username'];
and to protect it you would just
$username = htmlspecialchars($_POST['username']); or something like that
#10
-
- Members
-
- 2,749 posts
Official Spammer .Matt
- Gender:Male
- Location:England
Posted 23 September 2006 - 04:57 PM
Just do:
And Avalanche (and deadly) its not limited to injection, on a ridiculous amount of hosts you can actually use a simple one line command to get a full backup of anyone on that servers files. Ok a little overstatement but it can be done.
I mean you always encrypt anything sensitive, its just....standard
The question you ask yourself is avalanche: Why not?
I always double hash using sha1 and md5 btw
addslashes( stripslashes( mixed value ) )
And Avalanche (and deadly) its not limited to injection, on a ridiculous amount of hosts you can actually use a simple one line command to get a full backup of anyone on that servers files. Ok a little overstatement but it can be done.
I mean you always encrypt anything sensitive, its just....standard
The question you ask yourself is avalanche: Why not?
I always double hash using sha1 and md5 btw
Edited by Matthew., 23 September 2006 - 05:23 PM.
#11
-
- P2L Staff
-
- 676 posts
Senior Programmer
- Gender:Male
- Location:Florida
Posted 23 September 2006 - 08:41 PM
I encrypt my passwords with their userID, the time they registered and their password hash. And some other goodies as well. Just depends on whos site I am coding
And some other goodies as well. Just depends on whos site I am coding
#12
-
- Members
-
- 129 posts
Young Padawan
- Gender:Male
Posted 23 September 2006 - 09:01 PM
so, if you entered a password into a database in md5 hash, then you can't make a "forgot password" script that sends them their password?
#13
-
- Members
-
- 148 posts
Young Padawan
- Location:Greensboro, North Carolina
Posted 23 September 2006 - 11:07 PM
Chris., on Sep 23 2006, 10:00 PM, said:
so, if you entered a password into a database in md5 hash, then you can't make a "forgot password" script that sends them their password?
Yes and No. You can create a "I Forgot My Password" script, but instead of sending the user it's current password, you would have to have the script generate a new one.
#14
-
- Members
-
- 129 posts
Young Padawan
- Gender:Male
Posted 23 September 2006 - 11:44 PM
well, i would like it if it sends them their current password there is a site that decrypts md5 hash, but it won't give the source code. here it is http://www.md5decrypter.com/ can someone tell me how they do that?
#15
-
- Members
-
- 716 posts
P2L Jedi
- Gender:Male
- Location:Texas
Posted 24 September 2006 - 12:22 AM
Chris., on Sep 23 2006, 11:44 PM, said:
well, i would like it if it sends them their current password there is a site that decrypts md5 hash, but it won't give the source code. here it is http://www.md5decrypter.com/ can someone tell me how they do that?
dunno, but it's encouragement enough for me to start doing something like Matt or Chaos, or a combination of the 2.
#16
-
- Members
-
- 2,749 posts
Official Spammer .Matt
- Gender:Male
- Location:England
Posted 24 September 2006 - 05:06 AM
The site is bogus lol.
You cant decrypt md5 you can either dictionary list it (where a database of current md5s and their value are compared to the entered hash - which iswhat that site does) or you can brute force it which takes days if not weeks for just 1 hash.
You cant decrypt md5 you can either dictionary list it (where a database of current md5s and their value are compared to the entered hash - which iswhat that site does) or you can brute force it which takes days if not weeks for just 1 hash.
Edited by Matthew., 24 September 2006 - 07:50 AM.
#17
-
- Members
-
- 1,971 posts
I Feel Left Out
- Gender:Male
- Location:10 ft. below sea level
Posted 24 September 2006 - 07:21 AM
yeah, the site uses a database, you can test it, heres the md5 hash for 'roflcopterlmao' (
), 2a805e47611d9c33420b33435a15f919, try it, its not going to work
), 2a805e47611d9c33420b33435a15f919, try it, its not going to work
#18
-
- Members
-
- 32 posts
Young Padawan
Posted 24 September 2006 - 07:32 AM
i thought md5decrypter worked by them entering words into there database and having the md5 hash aswell so when you enter a md5 it searches the database for the hash and if it finds it brings back the word.
Edited by Crofty, 24 September 2006 - 07:32 AM.
#19
-
- Members
-
- 2,749 posts
Official Spammer .Matt
- Gender:Male
- Location:England
Posted 24 September 2006 - 07:50 AM
That is how it works...
#20
-
- Members
-
- 32 posts
Young Padawan
Posted 24 September 2006 - 08:05 AM
dam that must be boring tho just entering words into the database prob make your brain hurt aswell thinking of words
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
