md5 assistance please

jossejf

I am trying to make some counter php/mysql code work that has problems as follows...

The code was written using mysql3.23 md5, but I'm running a previous version that does not use md5 so am converting to use php4.0.5's md5. My problem is, I don't understand md5'ing very well. I can encrypt a password with no problem as in...

$password=md5($password)

...but how the heck do you get the real password back? When I pass the encrypted version to md5 it seems to just further encrypt the encryption!
😐
Please help this newbie to php/mysql.
Many thanks in advance.
Jesse

Anon

Well, basically, you cannot.
What you have to do is to store the hash, hash the inputed password and compare it with the stored one.
You will also have to salt your password to get the same values each time the password is hashed. You may want to consider some manipulation on the user login as the salt, or some other information unique for this user (like his id or the timestamp created when the account was created).
Hope it helps and good luck ;-)

jossejf

Yes that helps.
I wrote a little test script that made it more clear to me thanks to you.
For what it's worth, here's the code thereto...

<?
$p1="mypasswordstring";
$p2=md5("mypasswordstring");
if ( md5($p1) == $p2 ) {
echo "p1 is the same as p2 ";
} else {
echo "p1 is not the same as p2 ";
}

$p3="mypasswordstring";
$p4=md5("notmypasswordstring");
if ( md5($p3) == $p4 ) {
echo "p3 is the same as p4 ";
} else {
echo "p3 is not the same as p4 ";
}
?>

Anon

Righto :-)
Well, it happens that the md5 function does not support salt. However, mhash does.
Why use a salt, well, sorry, my mystake, it is to limit possibilities of bruteforce attack.
Try
<?
$p1="mypasswordstring";
$p2=md5($p1);
if ( md5($p1) == $p2 ) {
echo "p1 is the same as p2 ";
} else {
echo "p1 is not the same as p2 ";
}
$p3="mypasswordstring";
$p4=md5($p3);
if ( md5($p3) == $p4 ) {
echo "p3 is the same as p4 ";
} else {
echo "p3 is not the same as p4 ";
}
$p5="mypasswordstring";
$p6=mhash (MHASH_MD5, $p5, "test1");
if ( mhash (MHASH_MD5, $p5, "test1") == $p6 ) {
echo "p5 is the same as p6 ";
} else {
echo "p6 is not the same as p6 ";
}
$p7=$p5;
$p8= mhash (MHASH_MD5, $p7, "test2");
if ( mhash (MHASH_MD5, $p7, "test2") == $p8 ) {
echo "p7 is the same as p8 ";
} else {
echo "p7 is not the same as p8 ";
}
if ( p6 == $p8 ) {
echo "p6 is the same as p8 ";
} else {
echo "p6 is not the same as p8 ";
}
?>

kparker

Why use a salt . . . it is to limit possibilities of bruteforce attack.

Actually, at least on unix, it was because originally the password file
was readable by everyone, and thus in the absense of salt, if you
picked the same password as another user, your crypted password
would be the same as theirs which you could have determined by
inspection. This is different than saying that the salt makes the
password cryptographically stronger, and as long as you don't let
the world read your crypted passwords, is not really an issue.