Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10

Thread: MD5 encryption

  1. #1
    Regular Coder GO ILLINI's Avatar
    Join Date
    Jun 2005
    Location
    USA
    Posts
    634
    Thanks
    0
    Thanked 7 Times in 7 Posts

    MD5 encryption

    Is MD5 encryption even worth it for passwords? To me it seems useless. http://www.md5decrypter.com/ can decrypt everything. Is there a better encryption available?
    Currently I'm making a php/mysql based program to organize seats for a local theater. I would like to be secure and am currently using MD5, but I don't really see how it can help. It seems to me that anyone that can hack into my database can certainly Google for a MD5 decrypted.


    -Adam
    Why not thank me?

    http://adamsworld.name

  • #2
    New Coder
    Join Date
    Nov 2007
    Posts
    72
    Thanks
    0
    Thanked 1 Time in 1 Post
    MD5 uses a hash-based encryption method so it is un-decryptable (assuming that can be a word). The site you linked uses a database of decrypted hashes so, if someone we're to know your password and send it into them, yes they can decrypt it but they would only actually be comparing the md5 result to records in a database. In order for that site to be worth anything, they would have to have a database of billions of records which, honestly is not feasible.

    To sum up, MD5 is great for one-way passwords. You take whatever the user has provided for login, md5 it and then compare it to your already encrypted password on file. If they match, the password is correct.
    Last edited by aWishResigned; 11-25-2007 at 10:37 PM.

  • #3
    Regular Coder GO ILLINI's Avatar
    Join Date
    Jun 2005
    Location
    USA
    Posts
    634
    Thanks
    0
    Thanked 7 Times in 7 Posts
    ahh ok thanks that makes sense...
    I understand now because everything I tried I also use their encrypter tool so they already had the answer... CHEATERS!!!


    -Adam
    Why not thank me?

    http://adamsworld.name

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    If you're going to use a one-way hash for passwords use sha1() or hash('sha256', $string) if you have PHP 5.1.2+.

  • #5
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    No matter which hash you use, prepend or append a unique/nonsense "salt" string (look up salt if you don't know what that means) to it before you hash it, so that the database lookup tables/sites won't be usable to find out the original value.

    I hope you did not try any real passwords you use (even if they were not found in the database) that you have set on your router or any thing else that can be tied to your IP address/domain/network you were on when you visited those sites, because they just learned your current IP address and any of your real passwords you just tried.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    bazz (11-26-2007)

  • #6
    Regular Coder GO ILLINI's Avatar
    Join Date
    Jun 2005
    Location
    USA
    Posts
    634
    Thanks
    0
    Thanked 7 Times in 7 Posts
    Thanks,

    I will start using the salt method. Right now it is pretty confusing but I found a few tutorials and I am sure I will understand soon.

    And no I didn't use any real passwords or any significant words. I don't like to type passwords into any boxes they don't belong in.

    -Adam
    Why not thank me?

    http://adamsworld.name

  • #7
    Regular Coder
    Join Date
    Mar 2007
    Location
    Quebec
    Posts
    261
    Thanks
    6
    Thanked 7 Times in 7 Posts
    Actually I've got a great tutorial for password salting. If you're interested I can PM you the link. It's on a site that may not be appropriate to post publically (here anyway. It has to do with that 'ethical hacking' stuff.

  • #8
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    No matter which hash you use, prepend or append a unique/nonsense "salt" string (look up salt if you don't know what that means) to it before you hash it, so that the database lookup tables/sites won't be usable to find out the original value.
    And to make them (the salts) really useful, make it unique for every user.

  • #9
    Regular Coder
    Join Date
    Mar 2005
    Location
    D0u$h!t3 k4?
    Posts
    512
    Thanks
    2
    Thanked 5 Times in 5 Posts
    IIRC, MD5 and the SHA-1 have both been found vulnerable. That is probably the biggest reason to use a salt. If someone knows how the algorithm(s) work, that person could indeed create a salt that very much prevents decryption of the original string. I personally use a combination of functions, sometimes including my own encoding/encryption function, all of which are salted with a different salt at each stage.
    PHP Code:
    $hello file_get_contents('hello.txt'); echo $hello
    hello

  • #10
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,462
    Thanks
    0
    Thanked 633 Times in 623 Posts
    An unsalted MD5 can easily be broken using a rainbow table. They may not find the real password but they will find a password that MD5s to the same hash value which is therefore just as good.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •