MD5 (stupid) question ? **URGENT**

MD5 (stupid) question ? URGENT

Anon

Hi,

I have a doubt, if I encrypt something using md5 is that reversible. That is, if I store some data md5 encrypted can I later de-crypt and read it in plain text ?

Thank you

Turbo

Anon

No, you cannot decode a hash, becaause a hash is not an encrypted string, it is a one way operation.

trellie

what will you be using? for password matching md5's can be easily used...

Anon

Hi,

Tnx in first place.

The thing is that I'm storing passwords in mysql database. I need to compare the entered password to authenticate (which I can do) but I would like to have a "forgot your pword" thing so users could have the pword mailed to them... How should I do this ?

Many thanks

Turbo

Anon

Yes. The thing is I'm inserting the data into mysql with password('$data'). I can check if I have a valid password but I would like to be able to retrieve the password from the db in a readable way... any suggestions ?

Turbo

[deleted]

You can't get the password back out from an md5, so instead you'll have to reset the password to a new password and mail that password to the user.

Anon

Hi,

Isn't there any other way (besides storing the password in plain text, of course) ?

The thing is we all know sites where they mail our pword back if we need and I don't believe all of them store the pword in readable text format...

Tnx

Turbo

jc94062

They may not, they may use something other than PHP or may just use mcrypt to store the password instead, which CAN be decrypted.

A lot of sites will reset the password first though, if a sites sending you the password back on request in plain text, I suggest you move to a more secure site if available.

Anon

Usually people refrain to store password in readable ways, be it plain text or encrypted, for fear of it being discovered and decrypted (if someone had access to your encrypted passwords list, he may as well have got access to the encryption key).
The same goes for md5 hashes. Building a dictionnary of hashed names is trivial and has been used with success. One can use salt to add some length to the process, but in the end if your password list is compromised, whatever its form, its blown.
Now, crypting password may seem to be an idea, provided that the key is kept in a safe place, preferrably offline. So, the possibilities of automation are really limited (like inexistent) if you go for this. Thus why bother with a key and encryption if a (preferrably salted) hash will do the trick ...

rockert

Well, a lot of sites do a question/hint that is simply a hint to there password. it is not the password itself, but it is something that should remind them of it.

Anon

Hi all :-)
I am new to this, and this crypto stuff seems really, well, let's say a little bit on the paranoiac side. Common, who will ever want your secret password to your great Magic(tm) cards collection data base.
I understand that one may want some protection for password giving access to the system, but for simple stuff isn't it pulling things a little too far ?
Corect me if am I am wrong, but wouldn't it be possible to keep the passwords list out of the server root and still access it using a PHP page ? Isn't it enough security for you ?
Best regards :-)

Anon

Hi,

Well the issue here is not so much about protection, but it all started as how to do the following:

storing pwords in mysql, not in plain text
being able to retrieve the original pword from the db and not the md5 hash.

The only way found till now was to give the user a new password whenever he had forgotten it and asked for it!

The good thing would be to be able to give the "old" password in plain text to him, but not having to store it in plain text in the db!!!

More ideas ?

Turbo

Anon

this is the dumb @!#$ thinking that gets sites hacked in 2 minutes...

ok, you are taking all the time to encrypt passwords 1 way 'securing' your users accounts... why are you doing that? because you assume that someone will gain access to your database and then query all the passwords and ruin all your accounts. smart move!!

but now you want to add functionality to email (PLAIN TEXT VERY INSECURE) the password to the user... if i can break into your system and view the database (which you are assuming i can because i am l33t hAx0er) then i sure as @!#$ can sniff you emailing these passwords and do just as much damage.

NEVER NEVER Email passwords if you care about security in the least.

"but i want to make sure their email address exists so i can spam the hell out of them with this cool newsletter that pays me $.05"
die slowly.

"but i want to ensure 1 account per person"
heard of hotmail? dumb plan. try IP's mixed with cookies and other browser info. not 100% but better than email.

"i don't want users to pick their own initial password"
find another way of distributing the passwords then.

Anon

Michael:

How do you ensure one account per user with IP + browser info ?

Most of the people have a different IP address each time they get online...

Suggestions ?

One other thing, assuming you don't store plain text password in the db, which do you think it's the best way for the user to enter the system in case he forgot the original pword ?

Turbo

Anon

How do you ensure one account per user with >IP + browser info ?

that is why i said it wasn't 100%... and i also said cookies as well. ANY SYSTEM YOU IMPLEMENT CAN BE BROKEN, so don't waste you time trying to perfect it, or i'll go down to a computer lab and use 10 hotmail accounts on 10 different boxes with 10 different IPs...

set a cookie on the machine and go by it. if the user is smart enough to delete the cookie or don't have cookies enabled... oh well! they could have gotten around it anyways.

One other thing, assuming you don't store >plain text password in the db, which do you >think it's the best way for the user to >enter the system in case he forgot the >original pword ?

1) use a hint phrase
2) use a question/answer model to ask before resetting the pass. after reseting the pass to something new, send it to the user using SSL
3) DON'T WORRY ABOUT IT! they lost the password... their fault.

if you want strong security (and it sounds like you do) these are the only steps.

mantra-> "i will not email passwords... i will not email passwords... mastah m will hAx0er my site if i email passwords..."

jscnet

Interesting thread.

Here's my two cents.

Security is important... so.

(a) create your own authentication scheme. for example:

The follow is not the code, but a description of what to code:

Store their password as a MD5 hash.
When they authenticate with your server, add (to the MD5 hash) the time, in seconds.

for example:

MD5(userspassword + timeInSeconds)

This will have the effect of creating a unique MD5 hash for their password each time they login. This approach is nearly equivilent to using the SKey / MD5 authentication scheme, and probably just as secure.

On the server side -- allow for (say) 10 to 15 seconds for authentication...

So, your server will (once it verifies the Username) -- will add the time to the users password and will create 10 or 15 MD5 hashes in a temp array by which it will compare that password to.

Before you do all of this, you need to make sure (on the client side) you sync the GTC time to whatever the GTC time is on the server.
Now -- none of this makes much sense if they are going to be tranmitting their password and username in clear text anyway -- the md5 hash would have to occur (on the client side) before it was transmitted.

Otherwise, you'll have to use a secure server to transmit the info, then MD5 hash it... which, I think is redundant.

If you want to store your passwords encrypted, and then want to be able to decrypt them as need be, then download PGP -- http://bs.mit.edu:8001/pgp-form.html

You can call the command line from PHP and encrypt and decrypt all day.

You may then send your users a PGP encrypted email with their password. However, they will need PGP installed in order to decrypt it, and their Public Key will need to be stored in your database so that you can encrypt a message to those individuals.

PGP is probably your best solution, all around. Even if you decide to send their passwords in clear text.

You can also store their clear text passwords in another database or text file, and encrypt & decrypt that database or text file as needed... off root in a NTFS or UFS tight location.

Good luck.
Jason

jscnet

Let me clarify:

MD5(userspassword + timeInSeconds)

timeInSeconds should actually include the date + hour + mins + seconds.

This will create a unique MD5 hash each and every time -- even if someone sniffs it -- it cannot be used, as the server will reject it. And it should be nearly impossible to crack the hash.

Jason

PS. I said nearly impossible

Anon

that would mean storing the passwords in the database as clear text and they wanted to avoid both.

SSL is a very good model... don't try to work around it. embrace it.