how to descript the password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

prakumma
Forum Newbie
Posts: 3
Joined: Tue Aug 19, 2008 11:18 pm

how to descript the password

Post by prakumma »

hi friends,
i am using the md5() for encript the password. it gives the 32 bit char working fine. i want descript the password.how can i get.
<?php
$password='sample';
$desc_pass=md5($password);
echo $desc_pass;
Results: 5e8ff9bf55ba3508199d22e984129be6;

?>
i want results Descript. Please help to me.
Regards
prakumma.
User avatar
susrisha
Forum Contributor
Posts: 439
Joined: Thu Aug 07, 2008 11:43 pm
Location: Hyderabad India

Re: how to descript the password

Post by susrisha »

i dont think there is any other method to decrypt a string encoded with md5().

This logic md5() is used as a secure store medium to store some sensitive data like password which can be checked again.

Let me show you a usage.

Code: Select all

 
$sample1 = 'somecode';
$encrypted = md5($sample1);
 
//now if u want to check if the given is the same code, you will need to do this..
//on another page for authentication
$sample2 = 'somecode';
$encrypted2 = md5($sample2);
if($encrypted==$encrypted2)
{
echo "comparision successful";
}
else
{
echo "comparision not succesful";
}
 
 
 
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: how to descript the password

Post by papa »

It's not meant to be decrypted. You match the encrypted strings, if not match = no login.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: how to descript the password

Post by Apollo »

papa wrote:It's not meant to be decrypted.
And for TS: "not meant to" here means "is not possible".

So if you meant with "Descript" to convert "5e8ff9bf55ba3508199d22e984129be6" back to "sample" again, then sorry, md5 is a one-way encryption :)
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: how to descript the password

Post by papa »

Apollo wrote:
papa wrote:It's not meant to be decrypted.
And for TS: "not meant to" here means "is not possible".

So if you meant with "Descript" to convert "5e8ff9bf55ba3508199d22e984129be6" back to "sample" again, then sorry, md5 is a one-way encryption :)
Correct, should have been more clear. :)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: how to descript the password

Post by jayshields »

MD5 is going out of fashion, it's pretty easy to find a lookup table for hashed dictionary words. I just found this in 3 seconds, and it un-hashed "sample" for me - http://md5.igrkio.info/md5-hash-database.html
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: how to descript the password

Post by papa »

Well it's a pretty good first step, then salting it is probably a must.
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: how to descript the password

Post by Paul Arnold »

Just for reference, Hashing is one-way, Encryption is two-way.

You can decrypt an encrypted password, you can't decrypt a hashed password.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: how to descript the password

Post by jaoudestudios »

Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
User avatar
Skoalbasher
Forum Contributor
Posts: 147
Joined: Thu Feb 07, 2008 8:09 pm

Re: how to descript the password

Post by Skoalbasher »

jaoudestudios wrote:Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
Salt? is that like something you add to it?
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: how to descript the password

Post by jaoudestudios »

yep, use a random string that is quite long.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: how to descript the password

Post by Apollo »

jaoudestudios wrote:Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
Why the double md5? I'd say that's less secure than just md5($pass.$salt) ?

Besides, TS:
- better use sha1 (or preferably even sha256 or sha512) instead of md5
- if applicable, use 'pepper' as well as salt (pepper means 'user-specific salt'), so that even if two users have the same password, they will not get the same hash
User avatar
Skoalbasher
Forum Contributor
Posts: 147
Joined: Thu Feb 07, 2008 8:09 pm

Re: how to descript the password

Post by Skoalbasher »

Apollo wrote:
jaoudestudios wrote:Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
Why the double md5? I'd say that's less secure than just md5($pass.$salt) ?

Besides, TS:
- better use sha1 (or preferably even sha256 or sha512) instead of md5
- if applicable, use 'pepper' as well as salt (pepper means 'user-specific salt'), so that even if two users have the same password, they will not get the same hash
Couldn't you make pepper using user specific info? like half of their real name, jumbled up or something?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: how to descript the password

Post by Apollo »

Skoalbasher wrote:Couldn't you make pepper using user specific info? like half of their real name, jumbled up or something?
Yes, but then if they ever change their real name (assuming users can do so, in their profile settings or whatever, or it may become possible in the future) then suddenly their password hash would become invalid.

If you have constant user values (for example the date he joined), then that would do fine.
mickeyunderscore
Forum Contributor
Posts: 129
Joined: Sat Jan 31, 2009 9:00 am
Location: UK

Re: how to descript the password

Post by mickeyunderscore »

Apollo wrote:
Skoalbasher wrote:Couldn't you make pepper using user specific info? like half of their real name, jumbled up or something?
Yes, but then if they ever change their real name (assuming users can do so, in their profile settings or whatever, or it may become possible in the future) then suddenly their password hash would become invalid.

If you have constant user values (for example the date he joined), then that would do fine.
Perhaps generating a random string when a user signs up and saving that with the user's details would work also. That would reduce the chance of two users sharing a salt.
Post Reply