Page 1 of 2

how to descript the password

Posted: Mon Feb 02, 2009 3:20 am
by prakumma
hi friends,
i am using the md5() for encript the password. it gives the 32 bit char working fine. i want descript the password.how can i get.
<?php
$password='sample';
$desc_pass=md5($password);
echo $desc_pass;
Results: 5e8ff9bf55ba3508199d22e984129be6;

?>
i want results Descript. Please help to me.
Regards
prakumma.

Re: how to descript the password

Posted: Mon Feb 02, 2009 3:27 am
by susrisha
i dont think there is any other method to decrypt a string encoded with md5().

This logic md5() is used as a secure store medium to store some sensitive data like password which can be checked again.

Let me show you a usage.

Code: Select all

 
$sample1 = 'somecode';
$encrypted = md5($sample1);
 
//now if u want to check if the given is the same code, you will need to do this..
//on another page for authentication
$sample2 = 'somecode';
$encrypted2 = md5($sample2);
if($encrypted==$encrypted2)
{
echo "comparision successful";
}
else
{
echo "comparision not succesful";
}
 
 
 

Re: how to descript the password

Posted: Mon Feb 02, 2009 3:36 am
by papa
It's not meant to be decrypted. You match the encrypted strings, if not match = no login.

Re: how to descript the password

Posted: Mon Feb 02, 2009 3:57 am
by Apollo
papa wrote:It's not meant to be decrypted.
And for TS: "not meant to" here means "is not possible".

So if you meant with "Descript" to convert "5e8ff9bf55ba3508199d22e984129be6" back to "sample" again, then sorry, md5 is a one-way encryption :)

Re: how to descript the password

Posted: Mon Feb 02, 2009 3:59 am
by papa
Apollo wrote:
papa wrote:It's not meant to be decrypted.
And for TS: "not meant to" here means "is not possible".

So if you meant with "Descript" to convert "5e8ff9bf55ba3508199d22e984129be6" back to "sample" again, then sorry, md5 is a one-way encryption :)
Correct, should have been more clear. :)

Re: how to descript the password

Posted: Mon Feb 02, 2009 7:38 am
by jayshields
MD5 is going out of fashion, it's pretty easy to find a lookup table for hashed dictionary words. I just found this in 3 seconds, and it un-hashed "sample" for me - http://md5.igrkio.info/md5-hash-database.html

Re: how to descript the password

Posted: Mon Feb 02, 2009 7:42 am
by papa
Well it's a pretty good first step, then salting it is probably a must.

Re: how to descript the password

Posted: Mon Feb 02, 2009 11:27 am
by Paul Arnold
Just for reference, Hashing is one-way, Encryption is two-way.

You can decrypt an encrypted password, you can't decrypt a hashed password.

Re: how to descript the password

Posted: Mon Feb 02, 2009 12:02 pm
by jaoudestudios
Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)

Re: how to descript the password

Posted: Mon Feb 02, 2009 12:19 pm
by Skoalbasher
jaoudestudios wrote:Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
Salt? is that like something you add to it?

Re: how to descript the password

Posted: Mon Feb 02, 2009 1:06 pm
by jaoudestudios
yep, use a random string that is quite long.

Re: how to descript the password

Posted: Mon Feb 02, 2009 3:03 pm
by Apollo
jaoudestudios wrote:Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
Why the double md5? I'd say that's less secure than just md5($pass.$salt) ?

Besides, TS:
- better use sha1 (or preferably even sha256 or sha512) instead of md5
- if applicable, use 'pepper' as well as salt (pepper means 'user-specific salt'), so that even if two users have the same password, they will not get the same hash

Re: how to descript the password

Posted: Mon Feb 02, 2009 3:10 pm
by Skoalbasher
Apollo wrote:
jaoudestudios wrote:Definitely use a salt and then md5 it again.
i.e. md5(md5($pass) . $salt)
Why the double md5? I'd say that's less secure than just md5($pass.$salt) ?

Besides, TS:
- better use sha1 (or preferably even sha256 or sha512) instead of md5
- if applicable, use 'pepper' as well as salt (pepper means 'user-specific salt'), so that even if two users have the same password, they will not get the same hash
Couldn't you make pepper using user specific info? like half of their real name, jumbled up or something?

Re: how to descript the password

Posted: Mon Feb 02, 2009 5:33 pm
by Apollo
Skoalbasher wrote:Couldn't you make pepper using user specific info? like half of their real name, jumbled up or something?
Yes, but then if they ever change their real name (assuming users can do so, in their profile settings or whatever, or it may become possible in the future) then suddenly their password hash would become invalid.

If you have constant user values (for example the date he joined), then that would do fine.

Re: how to descript the password

Posted: Mon Feb 02, 2009 5:43 pm
by mickeyunderscore
Apollo wrote:
Skoalbasher wrote:Couldn't you make pepper using user specific info? like half of their real name, jumbled up or something?
Yes, but then if they ever change their real name (assuming users can do so, in their profile settings or whatever, or it may become possible in the future) then suddenly their password hash would become invalid.

If you have constant user values (for example the date he joined), then that would do fine.
Perhaps generating a random string when a user signs up and saving that with the user's details would work also. That would reduce the chance of two users sharing a salt.