Page 1 of 1
Getting passwords if lost...
Posted: Fri Mar 11, 2005 8:45 am
by LostOne
I am using a script I found online for sessions and such. I use the following to encrypt users passwords before saving...
$encrypted = md5(md5($password).$salt);
Is it possible to get the password back; so as too email it to them incase they loose theirs? I have a bad feeling........
Posted: Fri Mar 11, 2005 8:49 am
by Chris Corbyn
Don't email them a password. Allow them to change it.
So, you could for example verify who they are by sending a link to their emailo addres so only they can access it.
They can then choose a new password and simply overwrite the old one.
I'd have a security keyword in your db (or typically a "Secret Question") to aid in this verfication.
Posted: Fri Mar 11, 2005 8:50 am
by feyd
not without a lot of brute force work, pretty much.
if you search the board for md5 against the username Roja, you'll find many discussions as to what you can and can't really do.
Posted: Fri Mar 11, 2005 8:58 am
by LostOne
thanks guys! Looks like I'll have to allow them to change their password.
Posted: Fri Mar 11, 2005 1:07 pm
by timvw
btw, why are you performing md5 on md5?
Posted: Fri Mar 11, 2005 2:28 pm
by LostOne
timvw wrote:btw, why are you performing md5 on md5?
from this here
http://www.olate.com/articles/185 His explination is below.....
I will break it up into the two parts, firstly, it uses the md5() function to create a hash from the $password variable. Then, it uses the md5() function again, but this time it uses the $password hash, and the unencrypted $salt, to create a hash from the whole lot. This is a bit more secure than just having the following code:
$encrypted = md5($password);
guys name is Matt Eunson great stuff on the site!
Posted: Fri Mar 11, 2005 2:38 pm
by feyd
overall.. hashing a hash is less secure. Given any length original password, the hash will result in a finite length message which has known characteristics. Adding a salt does almost nothing.. especially since colliding an md5 isn't all that hard anymore.
Posted: Fri Mar 11, 2005 4:22 pm
by Weirdan
feyd wrote:
...especially since colliding an md5 isn't all that hard anymore.
Surely hashing a hash would decrease the enthropy of resulting hashes... but, if I remember correctly, to create a collision one would need to control both inputs. In other words, collision attack is useless to break passwords stored this way.
Posted: Fri Mar 11, 2005 5:01 pm
by LostOne
Thank goodness i have "NO" idea what you guys are talking about. I have not been programing in php long enough......
