Page 1 of 1

md5() usage ? when it can be reversed ?

Posted: Sat Mar 24, 2007 10:23 am
by keenlearner
I have come across a very good login tutorial, but I am not sure as to why when we want to store a user password into the database we have to hash the password using the function md5() and store it, instead of storing the real password into the database. I thought the md5 values can be reversed and get the real password. So what is the use of md5() function exactly ? can anyone clarify to me ? thank you.

Posted: Sat Mar 24, 2007 10:35 am
by feyd
It cannot be reversed. That is its benefit. You have to compare the hashed form of the submitted password to the stored hash.

If your database is compromised somehow, which is quite possible often, you do not want your users passwords to be in the wild so easily, so you hash them. Preferably you hash them with at least a one-time pad, possibly adding a static pad for extra entropy.

And before you attempt to think "if hashing once is good, hashing twice must be AWESOME!!!11!" you would be wrong. In truth, it's less secure when hashed twice.

Posted: Sat Mar 24, 2007 12:35 pm
by keenlearner
Thanks for your reply, I mean we actually can determine the real password from the hash code, such as this website http://md5.benramsey.com/

Posted: Sat Mar 24, 2007 12:51 pm
by feyd
That's why we use pads; making rainbow and dictionary attacks pretty useless.

Posted: Sat Mar 24, 2007 2:43 pm
by keenlearner
Sorry, i don't get about pad ? what is that about ? Thank you if you can clarify to me.

Posted: Sat Mar 24, 2007 2:48 pm
by feyd
Here is one of the more recent threads on the subject of hashing. It brings most of the issues into a consolidated group.

viewtopic.php?t=62782

Posted: Sat Mar 24, 2007 2:52 pm
by keenlearner
Thank's for the resource, it's a good information, i am reading at it. :D