md5() a password

Re: md5() a password

md5 (MD5 Message Direct Algorithm) is a oneway encrypting algorithm. This means that you can encrypt a string (such as a password) using md5($password) but you can't go back from the md5() result to the password . So, practically, a hash (digital signature output) is created from the string. ( a 20 chrs hexnumber)

Recent (after 1996) researches have shown some collisions in this algorithm, and most recent studies have found algorithms that can produce the same md5 result starting from different strings, which should not happen. However, for normal commercial applications this is secure enough, whilst in more critical ones other algorithms are used.

How is it used in practice: the user inputs his desired password. using the md5() function, you get the md5() hash of the string. It is this that gets stored in the database and not the actual password. This way, it becomes rather improbable that someone can enter a database using an algorithm that tries millions of different passwords (if he has the time, since most scripts will accept only a limited number of trials, after which will block the user out).
When the user logs in, the md5 hash of the password he posts through the login form, is compared to those stored in the database. If a mach is found, he is allowed to login, if not, he is not accepted.

SHA1 is yet another similar algorithm (US Secure Hash Algorithm 1) but the output is a 40 chrs hexnumber.

A problem with those methods (not a problem really): if the user forgets his password you cannot email him his password. A new one is automatcally created instead, stored (as md5 hash) in the database, and emailed to the user. he can then enter his account and change it to whatever he likes.

Re: md5() a password

Thanks Navaldesign-

So I would simply store the md5() of the password in the database and then have the php compare that. For example.

password for a user is - "mypassword" and the md5() equivilent = 34819D7BEEABB9260A5C854BC85B3E44

So my php test would look like;

if ($user_password != '34819D7BEEABB9260A5C854BC85B3E44')
{
echo "Your password does not match";
}

While the user simply enters mypassword in the form.

I take it that is how it would work?

Andy

Re: md5() a password

The user actually types "mypassword" in the login form. But, you need to compare the md5 hash with the value stored in the database(or hardcoded). So you should have:

if (md5($user_password) != '34819D7BEEABB9260A5C854BC85B3E44')
{
echo "Your password does not match";
}

This, supposing that 34819D7BEEABB9260A5C854BC85B3E44 is hardcoded, otherwise you need to look in the database (or flat file) to see if this value is found or not.

Re: md5() a password

Very cool! Thanks a bunch.

The weekend is almost here. Hope you have a great one!

Andy

Re: md5() a password

Thank you Andy, i wish the same to you.