Im looking to do a forgot my password script, I md5'd the passes, and have the algorithm, to decrypt it back, but my questions concerns the scripting and sql querying, how would I go about doing this...? All help is appreciated...
forgot my password
Moderator: General Moderators
forgot my password
hey,
Im looking to do a forgot my password script, I md5'd the passes, and have the algorithm, to decrypt it back, but my questions concerns the scripting and sql querying, how would I go about doing this...? All help is appreciated...
Im looking to do a forgot my password script, I md5'd the passes, and have the algorithm, to decrypt it back, but my questions concerns the scripting and sql querying, how would I go about doing this...? All help is appreciated...
Re: forgot my password
I was under the impression that md5 was a one-way encryption, just how easy is it to decrypt md5?fresh wrote:I md5'd the passes, and have the algorithm, to decrypt it back
See the first user comment here
hey
i have a script which does that already, I was asking how to query the db for the row with the columns according to the email they present, I suppose thats how it works, however I have no clue how to query the db for that pass, concerning the users inputted email... thanks
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
i would get them to put ih their username into a form and when submitted:
Code: Select all
<?php
if (isset($_POST["submit"]))
{
$result = mysql_query("SELECT * users WHERE user='".$_POST["user"]."'");
$row= mysql_fetch_array($result);
$password = $row["password"]; // this is the password column name
//descryption of your md5 pw goes here
$email = $row["email"];
$subject = "Your Password";
$body = "Your password is $password";
mail($email, $subject, "$body");
}
else
{
echo '<form name="" method="post" action="">
<input type="text" name="user">
</form>';
}
?>
Last edited by John Cartwright on Tue Jul 06, 2004 6:39 pm, edited 3 times in total.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
ty tim..
well in that case md5 cannot be decrypted
this will generate them a new password which is 10 digits..
i recommend you use something else than their email to prove their identify to get a new password generated.. but its a start
well in that case md5 cannot be decrypted
Code: Select all
<?php
if (isset($_POST["submit"]))
{
$result = mysql_query("SELECT * users WHERE user='".$_POST["user"]."'");
$row= mysql_fetch_array($result);
if ($_POST["email"] == $row["email"])
{
//jus do whatever randomizing function or method you want...
//in this case ill just use a 10 digit number
$password = rand(1000000000,9999999999);
$update = mysql_query("UPDATE users SET password='$password' WHERE user='".$_POST["user"]."'");
$email = $row["email"];
$subject = "Your Password";
$body = "Your password is $password";
mail($email, $subject, "$body");
}
else
{
echo "You have entered an invalid password";
}
}
else
{
echo '<form name="" method="post" action="">
<input type="text" name="user">
<input type="text" name="email">
</form>';
}
?>i recommend you use something else than their email to prove their identify to get a new password generated.. but its a start
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
I have to add a comment about md5(). It is very very very easy to hack into. If I have an md5() hash (under 6 characters), I can crack it in under 5 minutes, and I'm not even a hacker, and this stuff doesn't interest me. Don't use it to store super-sensitive data such as credit card info or bank PINs. (PIN: 4 characters, this about how easy it is to brute-force). PHP.net users have suggested a good alrenative:
Be sure to use this everywhere on the site. 
Good luck!
Code: Select all
$password = strrev(md5(md5(strrev(md5($inputpass)))));Good luck!
short passwords are insecure by definition, regardless of hashing algorithm used.evilmonkey wrote:I have to add a comment about md5(). It is very very very easy to hack into. If I have an md5() hash (under 6 characters), I can crack it in under 5 minutes, and I'm not even a hacker, and this stuff doesn't interest me.
why would you hash pins or cc numbers at all? =)evilmonkey wrote: Don't use it to store super-sensitive data such as credit card info or bank PINs. (PIN: 4 characters, this about how easy it is to brute-force).
It isn't more secure than plain simple md5.evilmonkey wrote: PHP.net users have suggested a good alrenative:Be sure to use this everywhere on the site.Code: Select all
$password = strrev(md5(md5(strrev(md5($inputpass)))));![]()
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
Agreed, the only way it would make it harder to crack is if they submitted it to that password site that uses a network of computers to crack md5 values to text. (cant think of the URL).Weirdan wrote:It isn't more secure than plain simple md5.
Besides that, it's just as easy for a brute force hack, all it does it increase CPU load.
to add
I know very well the weakness of md5, however, a little protection, means alot... especially to me, for I know it means alot to my users, so that's why I do it, 32 bit... The users I serve has been schooled on this and I urge them to pick misspelled words with both numbers and letters over 6 chars long... for example, If I make a pass, lets say gitsumdata as a pass, it would take very long to brute force... but like someone said, if it is something like, bird, then that would take about 2 mins to crack, if not less... I think I'm going with the new password, and make it valid only if they follow the link in their email, that way, other users, can't mess with peoples accounts, too much.. 
thanks guys for the help
P.s. I'm going with Phenom's script, one question, do I need to add a reference to my db, host, my user name, password, etc... first, within the same script? Or will this script due ok without it?
Thanks again guys
thanks guys for the help
P.s. I'm going with Phenom's script, one question, do I need to add a reference to my db, host, my user name, password, etc... first, within the same script? Or will this script due ok without it?
Thanks again guys
http://passcracking.com/ ?LiLpunkSkateR wrote: Agreed, the only way it would make it harder to crack is if they submitted it to that password site that uses a network of computers to crack md5 values to text. (cant think of the URL).
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA