[RESOLVED] unhashing

Beffic

Hello, I am making a change password script and I am trying to unhash passwords to match the old password to continue to change the password. The only way it notices the old password is if it is the md5 code itself.

here is what I have...

if($oldpass==$User['Password']){
  echo"Password Changed! <a href=editacc.php>Back</a>";
  exit;

 }else{
 echo"Your old password did not match! <a href=editacc.php>Back</a>";
 exit;
 }

laserlight

Instead of trying to "unhash" (i.e., compute the preimage given the hash), compute the hash of the given password and check it with the current password hash.

Beffic

Ohhhh... don't know why i didn't think of that.

Thanks Ill try that out!

Beffic

Yeah it worked.

Thanks!
-Beffic

laserlight

By the way, hashing passwords for storage is only to protect your users in the event that your database is compromised. As such, an attacker is likely to be able to use rainbow tables and such in an offline attack. Consequently, just hashing with MD5 is not good enough. At the very least, you need to use a salt.