Page 1 of 1

Decrypt MD5

Posted: Thu Nov 20, 2003 12:21 pm
by wizzard
Hello,

I have a question if you encrypted a pass with md5 can you get it back to the normal value? Because i'm working on a Lost Your Password system so when users fill in their email they receive their pass.


Cheers
Kris

Posted: Thu Nov 20, 2003 12:47 pm
by artexercise
if I remember reading correctly, MD5 does not decrypt. If someone forgot their password then reset it and send them a random password to get back into the system and change it to whatever.

Decrypting MD5 would be a security hazard.

JOE--

Posted: Thu Nov 20, 2003 1:12 pm
by wizzard
Ok thanks for the info :)

Posted: Thu Nov 20, 2003 1:22 pm
by JPlush76
Passwords using MD5 are decrypted pretty easily with a program like john the ripper and a dictionary tool.



You should always salt your passwords IE
$secretpasskey = '5SoMeThINg5eCREt7'; (keep this in a file out of the root directory)

MD5 (thestring.$secretpasskey)

so that it will make it a little less accesible to script kiddies. They usually give up if a program doesn't do it for em.

Posted: Thu Nov 20, 2003 3:30 pm
by cybaf
just to be a smartass I have to add that md5 is not an encryption method. it is a hashing algorithm. The point of it is that there are no 2 strings that generate the same hash. :)

However, cracking it by brute force is not that difficult, but still it depends on the sice of the hash. using a 128 bit hash I don't think any scriptkiddie with access to a program would break it, just because they (normally) don't have the computer power to do so.

cheers,
//cybaf

Posted: Thu Nov 20, 2003 3:49 pm
by JPlush76
actually the MD5 hash prints out the EXACT same hash every single time.

MD5('dog') 5 times

c935d187f0b998ef720390f85014ed1e
c935d187f0b998ef720390f85014ed1e
c935d187f0b998ef720390f85014ed1e
c935d187f0b998ef720390f85014ed1e
c935d187f0b998ef720390f85014ed1e

Posted: Thu Nov 20, 2003 5:42 pm
by RFairey
By saying that no two strings generate the same hash he means that no other string shorter than 32 chars is going to hash to the same as 'dog'.

Posted: Thu Nov 20, 2003 6:04 pm
by cybaf
thanks RFairey...:)

maybe I should have clarified: There are no 2 different strings that generate the same hash.

Posted: Thu Nov 20, 2003 6:07 pm
by JPlush76
cool, we're all on the same page then :)