Page 1 of 1

a question about cookies and MD5

Posted: Thu Aug 23, 2007 11:22 am
by beemzet
Hi all,

I've been creating a user management system wich allows users to register, log in, log out and manage their profiles.

Login script works like this: Gets username and password from username and password textboxes, MD5 encrypts the password, and compares the username and password to that of the database. If everyting is OK, then logs in, otherwise doesn't login.

I added gmail-like "remember me" option to the script. If the user checks to remember the username and password, then the script will set cookies with username and MD5 encrypted password. The next time when the page is loaded, the script checks if username and password cookies had been set. If yes, those values will be shown on username and password textboxes as google does. When I get values from cookies, I will have a username, and a MD5 encrypted password, right? So, with these values, if I submit the form, my login script encrypts the password again, which is already enrypted.

There comes my question. How do I do so that MD5 encrypted password that is stored in $_COOKIES variable, can be shown as a normal password in the password textbox.

Or any other solutions to the problem???

Thank you for your time.

Posted: Thu Aug 23, 2007 11:41 am
by feyd
Do not echo the password out into the page, ever. Simple as that.

Re: a question about cookies and MD5

Posted: Thu Aug 23, 2007 11:54 am
by TheMoose
beemzet wrote:Hi all,

I've been creating a user management system wich allows users to register, log in, log out and manage their profiles.

Login script works like this: Gets username and password from username and password textboxes, MD5 encrypts the password, and compares the username and password to that of the database. If everyting is OK, then logs in, otherwise doesn't login.

I added gmail-like "remember me" option to the script. If the user checks to remember the username and password, then the script will set cookies with username and MD5 encrypted password. The next time when the page is loaded, the script checks if username and password cookies had been set. If yes, those values will be shown on username and password textboxes as google does. When I get values from cookies, I will have a username, and a MD5 encrypted password, right? So, with these values, if I submit the form, my login script encrypts the password again, which is already enrypted.

There comes my question. How do I do so that MD5 encrypted password that is stored in $_COOKIES variable, can be shown as a normal password in the password textbox.

Or any other solutions to the problem???

Thank you for your time.
I don't believe Google actually writes the username/password values into those boxes, it is most likely your browser doing that. Most "remember me" cookies setups usually just store a token/key/whatever you want to call it so that your code knows exactly who the person is based on this cookie value, and then assumes that since that cookie is set, that they are who they say they are and logs them in anyway.

Posted: Thu Aug 23, 2007 12:24 pm
by beemzet
thanx guys,

Ok, another question.

How do I find the lenght of original MD5 encrypted string?

And also, why use MD5 encryption when there is a way to decrypt them? Take a look at here

Posted: Thu Aug 23, 2007 12:34 pm
by feyd
beemzet wrote:How do I find the lenght of original MD5 encrypted string?
In PHP, strlen(). In Javascript, the length property.
beemzet wrote:And also, why use MD5 encryption when there is a way to decrypt them? Take a look at here
You're the one talking about MD5, why did you choose it? We often suggest SHA256 as it's much stronger. We also recommend salts, peppers and a dash of nutmeg for rich flavor.

Posted: Thu Aug 23, 2007 12:37 pm
by volka
How do I find the lenght of original MD5 encrypted string?
You would have to store that information while you have the original data. But why?
beemzet wrote:And also, why use MD5 encryption when there is a way to decrypt them? Take a look at here
Those "decrypt" pages are usually based on rainbow tables, large pre-computed tables that contain many many md5 hashes. It's very unlikely that they contain the hash for e.g. lepton34bose_ (unless someone adds this hash right now ;))

Posted: Thu Aug 23, 2007 1:06 pm
by beemzet
thank you guys.
will ask again if there is something else to ask...

Posted: Thu Aug 23, 2007 1:36 pm
by TheMoose
The funny thing about that site is it probably doesn't have every computation. But when you do part one (find the MD5/SHA1 hash), it adds that to its own lookup. I'm gonna test my theory to find out for sure though ;)

EDIT: That site doesn't use a true hash of MD5 or SHA1. They've made their own variation that is decryptable, so there it would appear there is no rainbow table for it.