Page 1 of 2

forgot my password

Posted: Tue Jul 06, 2004 6:19 pm
by fresh
hey,

Im looking to do a forgot my password script, I md5'd the passes, and have the algorithm, to decrypt it back, but my questions concerns the scripting and sql querying, how would I go about doing this...? All help is appreciated... :)

Re: forgot my password

Posted: Tue Jul 06, 2004 6:25 pm
by zenabi
fresh wrote:I md5'd the passes, and have the algorithm, to decrypt it back
I was under the impression that md5 was a one-way encryption, just how easy is it to decrypt md5?

Posted: Tue Jul 06, 2004 6:28 pm
by markl999
See the first user comment here

well

Posted: Tue Jul 06, 2004 6:29 pm
by fresh
if you have the algorith that encrypted it, then purhaps you can decrypt it, by reversing it???

hey

Posted: Tue Jul 06, 2004 6:34 pm
by fresh
i have a script which does that already, I was asking how to query the db for the row with the columns according to the email they present, I suppose thats how it works, however I have no clue how to query the db for that pass, concerning the users inputted email... thanks

Posted: Tue Jul 06, 2004 6:35 pm
by John Cartwright
i would get them to put ih their username into a form and when submitted:


Code: Select all

<?php

if (isset($_POST["submit"]))
{
$result = mysql_query("SELECT * users WHERE user='".$_POST["user"]."'");
$row= mysql_fetch_array($result);

$password = $row["password"]; // this is the password column name

//descryption of your md5 pw goes here

$email = $row["email"];
$subject = "Your Password";
$body = "Your password is $password";

mail($email, $subject, "$body");
}
else
{
echo '<form name="" method="post" action="">
  <input type="text" name="user">
</form>';
}
?>

Posted: Tue Jul 06, 2004 6:37 pm
by tim
phen, you forgot a $ for the subject var.

MD5 is not an encryption tool, its a hashing system. You cannot get the PW back.

read up on it in the wiki section.

Posted: Tue Jul 06, 2004 6:43 pm
by John Cartwright
ty tim..

well in that case md5 cannot be decrypted

Code: Select all

<?php

if (isset($_POST["submit"])) 
{ 
$result = mysql_query("SELECT * users WHERE user='".$_POST["user"]."'"); 
$row= mysql_fetch_array($result); 

if ($_POST["email"] == $row["email"])
{

//jus do whatever randomizing function or method you want...
//in this case ill just use a 10 digit number
$password = rand(1000000000,9999999999);

$update = mysql_query("UPDATE users SET password='$password' WHERE user='".$_POST["user"]."'");

$email = $row["email"]; 
$subject = "Your Password"; 
$body = "Your password is $password"; 

mail($email, $subject, "$body"); 
}
else
{
echo "You have entered an invalid password";
}
} 
else 
{ 
echo '<form name="" method="post" action=""> 
  <input type="text" name="user"> 
  <input type="text" name="email"> 

</form>'; 
} 
 
?>
this will generate them a new password which is 10 digits..
i recommend you use something else than their email to prove their identify to get a new password generated.. but its a start :P

thank you

Posted: Tue Jul 06, 2004 7:48 pm
by fresh
all for all your help, I will ponder my methods for a day, because this is something quite new to me, and I am not use to having an option...lol, again thank you guys for your help... :)

Posted: Tue Jul 06, 2004 7:58 pm
by evilmonkey
I have to add a comment about md5(). It is very very very easy to hack into. If I have an md5() hash (under 6 characters), I can crack it in under 5 minutes, and I'm not even a hacker, and this stuff doesn't interest me. Don't use it to store super-sensitive data such as credit card info or bank PINs. (PIN: 4 characters, this about how easy it is to brute-force). PHP.net users have suggested a good alrenative:

Code: Select all

$password = strrev(md5(md5(strrev(md5($inputpass)))));
Be sure to use this everywhere on the site. ;)

Good luck!

Posted: Tue Jul 06, 2004 8:14 pm
by Weirdan
evilmonkey wrote:I have to add a comment about md5(). It is very very very easy to hack into. If I have an md5() hash (under 6 characters), I can crack it in under 5 minutes, and I'm not even a hacker, and this stuff doesn't interest me.
short passwords are insecure by definition, regardless of hashing algorithm used.
evilmonkey wrote: Don't use it to store super-sensitive data such as credit card info or bank PINs. (PIN: 4 characters, this about how easy it is to brute-force).
why would you hash pins or cc numbers at all? =)
evilmonkey wrote: PHP.net users have suggested a good alrenative:

Code: Select all

$password = strrev(md5(md5(strrev(md5($inputpass)))));
Be sure to use this everywhere on the site. ;)
It isn't more secure than plain simple md5.

Posted: Tue Jul 06, 2004 10:15 pm
by d3ad1ysp0rk
Weirdan wrote:It isn't more secure than plain simple md5.
Agreed, the only way it would make it harder to crack is if they submitted it to that password site that uses a network of computers to crack md5 values to text. (cant think of the URL).

Besides that, it's just as easy for a brute force hack, all it does it increase CPU load.

to add

Posted: Tue Jul 06, 2004 10:32 pm
by fresh
I know very well the weakness of md5, however, a little protection, means alot... especially to me, for I know it means alot to my users, so that's why I do it, 32 bit... The users I serve has been schooled on this and I urge them to pick misspelled words with both numbers and letters over 6 chars long... for example, If I make a pass, lets say gitsumdata as a pass, it would take very long to brute force... but like someone said, if it is something like, bird, then that would take about 2 mins to crack, if not less... I think I'm going with the new password, and make it valid only if they follow the link in their email, that way, other users, can't mess with peoples accounts, too much.. ;)

thanks guys for the help :)


P.s. I'm going with Phenom's script, one question, do I need to add a reference to my db, host, my user name, password, etc... first, within the same script? Or will this script due ok without it?

Thanks again guys

Posted: Wed Jul 07, 2004 12:12 am
by Weirdan
LiLpunkSkateR wrote: Agreed, the only way it would make it harder to crack is if they submitted it to that password site that uses a network of computers to crack md5 values to text. (cant think of the URL).
http://passcracking.com/ ? ;)

Posted: Wed Jul 07, 2004 12:26 am
by d3ad1ysp0rk
That's the one.

Stupid site.. *grumble grumble*

lol