un md5 a md5 hash?

falsepride · 06-23-2005, 09:37 PM

i md5 passwords on my site and store them in a flat file. theres probably better ways to encode passwords. but i dont expect to get to many people trying to crack into my site. but i was wondering is there a way you can get the original string out of the hash?

sde · 06-23-2005, 10:35 PM

probably not.

falsepride · 06-23-2005, 10:38 PM

hmmm. not a real problem. i kinda wish there was a way to though

redhead · 06-24-2005, 12:41 AM

just create some way of resetting it.
If the users have forgot, theres no way they can tell if teh dynamicaly created for them was their orriginal or not.

idx · 06-24-2005, 04:11 AM

Nope, one way only. If you used something like mcrypt() it could be reversed.

Although it's no problem. As redhead said, just create a way to reset. The typical route is to create a unique key (md5 helps with this), store it somewhere on the site then email them with this key. (or a url containing the key) From there they click on the link (or enter it in a form if you wish) and the system validates the key, resets the password and emails the new one to them.

-r

jiminoc · 06-28-2005, 05:00 PM

If you're going to MD5 also remember to use a SALT and keep the salt above the webroot if you can
$salt = "pHpi$fUn99";
like $secretHash = md5($string.$salt);

md5 can be brute forced with dictionary attacks and have pretty good success... like if your users uses the password "home" someone could crack your passwords fairly easily. If you add a salt the chances of them guessing the password PLUS the salt is pretty darn slim.

and as the other user stated above MD5 is one way, so you can only do if(md5($string) === md5($string2))

DJMaze · 06-28-2005, 05:29 PM

sha and md5 are hashing algorythms, they have only a one-way encryption.
You can't decode them easily and you need special crack software for it.

The hashing is only a server-side security measurement but it's not bulletproove.
Most passwords are also stored in a cookie or session, these have the bad that they could be hiyacked.
What the hacker does is just modifying the browser cache and replace the cookie value with the found hash to get into your system.

To reduce the risk the cookiename should by dynamic (per website based) and that way the hacker has to choose between 2 tougher tasks:
- guess the cookie name
- crack the hash

another option to md5 is using sha1() (in PHP 4.3 and up)
at the moment it takes up to 3.5 years to crack a sha1 or 59 hours for a supercomputer.

PHP5 has the ability to use the hash in binary format instead of converted to hex coding. Another benefit here since a lot of script kiddies can't copy/paste the binary cookie that easily (mostly due to special characters like 0x00, 0x07, etc.)

Session handling is a solution to prevent line tapping, that way the client never recieves login details only a cookie with a session-id. The hacker has to close his browser hijack his cookie cache and start the browser.
With sessions you could prevent this by locking the session on IP, if the IP of the client doesn't match the session it will be destroyed and the client has to login.
This does have issues with people on AOL since AOL changes your IP almost every minute which makes it annoying for them.
To prevent this you could use the HTTP_USER_AGENT instead of IP and that way the hacker must have the same browser as you do.

If you don't need all this security then plain text passwords is more then sufficient and allows the client to recieve his password by email if he forgot

sde · 06-29-2005, 07:16 AM

i've also read articles that claimed that sha1 is a little better now since there were so many collisions with md5.

salting sounds like a great method as well.

Admin · 06-30-2005, 06:26 AM

Never used salt but it does sound very interesting.

Thanks.

idx · 06-30-2005, 04:46 PM

Could always just use standard 3des which includes a salt.

-r

falsepride · 07-02-2005, 12:59 PM

well yea djmaze, i use aol. i hate it, but i cant use anything else. i think im gonna start salting, and have the salt change everyweek or something like that

idx · 07-03-2005, 07:42 AM

Wouldn't that break previous passwords stored with a different salt? (unless you store the salt somewhere per password)

-r

falsepride · 07-03-2005, 08:36 AM

yea it would break it. theyll just have to log in again. as long as they log in early in the week they stay loged in for the rest of the week

teknomage1 · 07-03-2005, 06:12 PM

So they get a new password each week?

falsepride · 07-03-2005, 07:51 PM

no. the password would remain the same but the salt wouldnt. i wouldnt need it to be that secure. i do know sites that have things that could get them shut down that emial each memeber new passwords every month and they have to type in 5 passwords before they can log in. but i dont need that level of security.