md5() a password

Collapse
X
Collapse
+ More Options
Posts
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • Andy128
    Major General

    • Dec 2005
    • 2317

    md5() a password

    Watdaflip made mention (in another thread) that passwords should be encrypted using md5() or sha1().

    Can you explain just how this works and is it necessary?

    Andy
    PHP- is a blast!
  • navaldesign
    General & Forum Moderator

    • Oct 2005
    • 12080

    #2
    Re: md5() a password

    md5 (MD5 Message Direct Algorithm) is a oneway encrypting algorithm. This means that you can encrypt a string (such as a password) using md5($password) but you can't go back from the md5() result to the password . So, practically, a hash (digital signature output) is created from the string. ( a 20 chrs hexnumber)

    Recent (after 1996) researches have shown some collisions in this algorithm, and most recent studies have found algorithms that can produce the same md5 result starting from different strings, which should not happen. However, for normal commercial applications this is secure enough, whilst in more critical ones other algorithms are used.

    How is it used in practice: the user inputs his desired password. using the md5() function, you get the md5() hash of the string. It is this that gets stored in the database and not the actual password. This way, it becomes rather improbable that someone can enter a database using an algorithm that tries millions of different passwords (if he has the time, since most scripts will accept only a limited number of trials, after which will block the user out).
    When the user logs in, the md5 hash of the password he posts through the login form, is compared to those stored in the database. If a mach is found, he is allowed to login, if not, he is not accepted.

    SHA1 is yet another similar algorithm (US Secure Hash Algorithm 1) but the output is a 40 chrs hexnumber.

    A problem with those methods (not a problem really): if the user forgets his password you cannot email him his password. A new one is automatcally created instead, stored (as md5 hash) in the database, and emailed to the user. he can then enter his account and change it to whatever he likes.
    Navaldesign
    Logger Lite: Low Cost, Customizable, multifeatured Login script
    Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
    DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
    Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

    Comment

    • Andy128
      Major General

      • Dec 2005
      • 2317

      #3
      Re: md5() a password

      Thanks Navaldesign-

      So I would simply store the md5() of the password in the database and then have the php compare that. For example.

      password for a user is - "mypassword" and the md5() equivilent = 34819D7BEEABB9260A5C854BC85B3E44

      So my php test would look like;

      if ($user_password != '34819D7BEEABB9260A5C854BC85B3E44')
      {
      echo "Your password does not match";
      }

      While the user simply enters mypassword in the form.

      I take it that is how it would work?

      Andy
      PHP- is a blast!

      Comment

      • navaldesign
        General & Forum Moderator

        • Oct 2005
        • 12080

        #4
        Re: md5() a password

        Originally posted by Andy128 View Post
        Thanks Navaldesign-

        So I would simply store the md5() of the password in the database and then have the php compare that. For example.

        password for a user is - "mypassword" and the md5() equivilent = 34819D7BEEABB9260A5C854BC85B3E44

        So my php test would look like;

        if ($user_password != '34819D7BEEABB9260A5C854BC85B3E44')
        {
        echo "Your password does not match";
        }

        While the user simply enters mypassword in the form.

        I take it that is how it would work?

        Andy
        The user actually types "mypassword" in the login form. But, you need to compare the md5 hash with the value stored in the database(or hardcoded). So you should have:

        if (md5($user_password) != '34819D7BEEABB9260A5C854BC85B3E44')
        {
        echo "Your password does not match";
        }

        This, supposing that 34819D7BEEABB9260A5C854BC85B3E44 is hardcoded, otherwise you need to look in the database (or flat file) to see if this value is found or not.
        Navaldesign
        Logger Lite: Low Cost, Customizable, multifeatured Login script
        Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
        DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
        Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

        Comment

        • Andy128
          Major General

          • Dec 2005
          • 2317

          #5
          Re: md5() a password

          Very cool! Thanks a bunch.

          The weekend is almost here. Hope you have a great one!

          Andy
          PHP- is a blast!

          Comment

          • navaldesign
            General & Forum Moderator

            • Oct 2005
            • 12080

            #6
            Re: md5() a password

            Thank you Andy, i wish the same to you.
            Navaldesign
            Logger Lite: Low Cost, Customizable, multifeatured Login script
            Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
            DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
            Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

            Comment

            Working...