Md5 encrypted passwords

klavixs · 09-16-2006, 10:43 AM

Warning to novices in php this is a pretty advanced script and should be used by a person who is very knowledge in php if you insist on useing it on a novice stage it's at your own risk.

This scrypt checks a user inputed password and then encrypts it and checks the db's version of the md5 enc to see it is correct

PHP Code:

   
//str is the inputed password the user gave

Function Encpass($str)

 
{

 
//this now encrypts the inputed password

md5($str);

 
//this checks the encrypted version of the inputed password

//to the databases stored version to see if it's correct

//change usrpass to whatever variable you use for the retrieved pass from db your checking

if (md5($str) == $usrpass)

 

 {

  //in your script check, if Cvalue equals 2 and it's a correct pass

  $Cvalue = "2";

 

  }

 

  else

  {

  //but if its a 1 it's incorrect password

  $Cvalue = "1";

  }

 
}

//you should next check Cvalue to make sure it equals 2

//if you use this and like it a link to my website is appreciated but not required

// my website is http://onfiretechnologies.com and it's an arcade of flash games 

// and has lots of cheat codes so use what ever relateing text you wish

this next part is for user registration

PHP Code:

  //this part is for user registration to encrypt password in md5

//stpass is the inputed password to encrypt

Function CMd5Pass($stpass)

{

//npass is the new encrypted version of the orignal inputed pass

$Npass = md5($stpass)

????: NamePros.com http://www.namepros.com/code/238391-md5-encrypted-passwords.html
}

 
//now to enter it in db. save the Npass variable to the db for password

//if you use this and like it a link to my website is appreciated but not required

// my website is http://onfiretechnologies.com and it's an arcade of flash games 

????: NamePros.com http://www.namepros.com/showthread.php?t=238391
// and has lots of cheat codes so use what ever relateing text you wish

Noobie · 09-16-2006, 11:58 AM

I'm confused but....

PHP Code:

  md5($str); //that line does nothing 

????: NamePros.com http://www.namepros.com/showthread.php?t=238391

run the script below you'll see.

PHP Code:

  <?php

$str = "a";

md5($str);

echo $str;

?>

The function is a little redundant but its a good way to advertise your site.

Dan · 09-16-2006, 12:08 PM

PHP Code:

  if (md5($str) == $usrpass)

That wouldn't work. You'd have to make $usrpass a global variable or make it in your function's input.

.. and for $Cvalue, I think it's more or less the same thing. You need to make it a global variable for it to be used outside of the function.
????: NamePros.com http://www.namepros.com/showthread.php?t=238391

The next code you posted just md5()'s the text and doesn't do anything with it.

klavixs · 09-16-2006, 12:21 PM

the following is from www.w3schools.com

Quote:

Definition and Usage

The md5() function calculates the MD5 hash of a string.

The md5() function uses the RSA Data Security, Inc. MD5 Message-Digest Algorithm.

From RFC 1321 - The MD5 Message-Digest Algorithm: "The MD5 message-digest algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA."

This function returns the calculated MD5 hash on success, or FALSE on failure.
Syntax

md5(string,raw)

Parameter Description
string Required. The string to be calculated
raw Optional. Specifies hex or binary output format:

* TRUE - Raw 16 character binary format
* FALSE - Default. 32 character hex number

Note: This parameter was added in PHP 5.0
????: NamePros.com http://www.namepros.com/showthread.php?t=238391

Example 1

<?php
$str = "Hello";
echo md5($str);
?>

The output of the code above will be:

8b1a9953c4611296a827abf8c47804d7

Example 2

In this example we will print the result of md5() and then test it:

<?php
$str = "Hello";
echo md5($str);

if (md5($str) == '8b1a9953c4611296a827abf8c47804d7')
{
echo "<br />Hello world!";
exit;
}
?>

The output of the code above will be:

8b1a9953c4611296a827abf8c47804d7
Hello world!

you might be right about the globals but it was a quick throw together for a friend

sdsinc · 09-16-2006, 02:59 PM

A bit offtopic but isn't it best to use sha1 instead of md5 ?

Noobie · 09-16-2006, 04:46 PM

i've switched to sha1

Dan · 09-16-2006, 04:47 PM

I know how to use md5()...

You are using it inside of another function to do the same exact thing with a longer name and yours won't work.

Read: http://us3.php.net/global

Barrucadu · 09-16-2006, 05:37 PM

Heres a fixed version!

PHP Code:

  function Validate($str, $passwd){

????: NamePros.com http://www.namepros.com/showthread.php?t=238391
     if(md5($str) == $passwd){

          return true;

     }else{

          return false;

     }

}

 
function Hash($str){

     return md5($str);

}

Richard · 10-20-2006, 04:34 PM

i highly suggest you don't use this code for MD5 encryption, extremely easy to crack (approx 1 - 3 seconds). In fact, you can crack it online at http://www.md5database.net/

to make it more secure you use a salt.

dhscott · 10-20-2006, 05:37 PM

Look, Md5 is stupidly hard to hack so don't say it is. People have got lucky with matching words with md5 hashes, simple as.

Using one or the other is not going to be sensible, the same result could happen.

The best you could do is to put an md5 into an sha1 and into rot13 and into salt...

Or simply just md5 the md5 hash...

Dan · 10-20-2006, 05:41 PM

Originally Posted by qwhois

Or simply just md5 the md5 hash...

Bingo.

Kadenz · 10-20-2006, 06:38 PM

Well, you could encrypt something easily. Just keep on md5ing and salting and sha1ing until your computer crashes, so it's pretty hard to crack stuff.

Tree · 10-20-2006, 07:23 PM

I just use md5 -> salt (700-7000 chars) -> sha1 -> rot13 -> md5

Works for me.

TwistMyArm · 10-21-2006, 06:49 AM

Just to add my two cents worth: MD5 is NOT an encryption process, it's a hashing process.

Please, especially when using a "pretty advanced script" (sic) such as this, can we at least use the correct terminology?

Tree · 10-21-2006, 02:13 PM

Good point. Encryption processes can be decrypted using a standard algorithm. Hashes cannot.

neroux · 10-25-2006, 03:02 AM

Originally Posted by Richy

i highly suggest you don't use this code for MD5 encryption, extremely easy to crack (approx 1 - 3 seconds). In fact, you can crack it online at http://www.md5database.net/

to make it more secure you use a salt.

MD5 has its weaknesses, but it cannot be cracked in 3 second by far.

Richard · 10-25-2006, 08:52 PM

lmao, i have a 15 digit hash, md5database.net decrypts it straight away :S.

but if i use md5 then md5 and salt over that, it cant... that is much stronger. (type of hash ipb uses etc)

JBebbington · 10-26-2006, 01:58 AM

You do not get that there are billions of combinations, and md5database is very incomplete, there is a small chance that it has a standard dictionary word, but a mixed case, mixed character, and completely random string it will not decode.

RickM · 10-26-2006, 02:23 AM

md5database does not crack the MD5 keys, it has a database of keys people have entered...it only retrieves the already cracked info. If i enter "1234" into it to be encoded, that then gets added to their database. For example, i entered "88a712d55763cc29bb2986bba2493408" ("fgsg4352gv") into the decoder and it found nothing, but if i enter "fgsg4352gv" into the encoder it will then be added to the database.

To crack a md5 line takes quite a while...i created a script to do it and it took the script all day to crack a 5 char string.

The best way to protect yourself is double md5, salt or SH1 (but even SH1 can be cracked).

I've put together an encryption tool below, feel free to use it on your localhost to test out passwords and stuff

PHP Code:

 
  <?php

 
if($_POST['submit']) {

 
$username=htmlspecialchars(addslashes($_POST['username']));

$password=htmlspecialchars($_POST['password']);

 
//Simple MD5

$password2=md5($password);

 
//Double MD5

$password3=md5(md5($password));

 
//Almost foolproof, MD5, SHA1, MD5, SHA1

$password4=md5(sha1(md5(sha1($password))));

 
//Alternativly use a "salt" string (random 3 characters for each user in the database that is added to the begining or end of the encryption. Example below:

$salt="&~/"; //Normaly this comes from the DB but im just doing an example here.

$password5=md5($password.$salt);

????: NamePros.com http://www.namepros.com/showthread.php?t=238391
????: NamePros.com http://www.namepros.com/showthread.php?t=238391
 
//Now i'll echo it all out into a nice little document :)

echo"<strong>RMWebs.net MD5 Tool</strong><br />You Entered The Following Information:<br /><strong>Username:</strong> ".$username."<br /><strong>Password:</strong> ".$password."<br /><br />

Here is the result of different methods of encryption:<br /><br />

 
<strong>Simple MD5:</strong> ".$password2."<br />

<strong>Double MD5:</strong> ".$password3."<br />

<strong>MD5-SHA1-MD5-SHA1:</strong> ".$password4."<br />

<strong>MD5+Salt:</strong> ".$password5."<br />

<br />

<strong>Recommended Use:</strong> MD5+Salt<br />

<strong>Most easy to crack:</strong> Simple MD5 followed by Double MD5<br /><br />

 
<font size=\"1\"><a href=\"http://www.rmwebs.net\">More usefull code and tools at RMWebs.net</a></font>";

 
 
}else {

?>

<form action="" method="POST">

Username: <input type="text" name="username" /><br />

Password: <input type="password" name="password" /><br />

<input type="submit" name="submit" value="Go!" />

</form>

<?php } ?>

Barrucadu · 10-26-2006, 03:17 AM

I dont particularly like MD5, mainly because of md5 databases. I do however, have to use it because phpbb2 uses MD5 and I cant be bothered to rehash all the passwords, lol.

This is my preferred method when hashing passwords:

PHP Code:

  $hash = base64_encode(rot13(md5(sha1($password).$salt)).sha1($password.md5($password)).$password); 

????: NamePros.com http://www.namepros.com/showthread.php?t=238391

RickM · 10-26-2006, 04:03 AM

Good method there...very secure

Heres another one...pretty much uncrackable (well...unless you can figure out a way to decode over 11 characters at a time)

PHP Code:

  $hash=md5(sh1(str_rot13(md5(md5(md5($password.md5(sh1($password.$salt)))))))); 

????: NamePros.com http://www.namepros.com/showthread.php?t=238391

If you can crack that then you are very desperate

neroux · 10-26-2006, 05:32 AM

Originally Posted by Richy

lmao, i have a 15 digit hash, md5database.net decrypts it straight away :S.

but if i use md5 then md5 and salt over that, it cant... that is much stronger. (type of hash ipb uses etc)

MD5 cannot be decrypted. The site you mentioned just has a list of some MD5 values with the respective data, on which it performs a lookup, this can be achieved with each hash method.

RickM · 10-26-2006, 10:24 AM

Originally Posted by neroux

MD5 cannot be decrypted. The site you mentioned just has a list of some MD5 values with the respective data, on which it performs a lookup, this can be achieved with each hash method.

Actualy MD5 CAN be decrypted...and pretty easily at that.

TwistMyArm · 10-26-2006, 10:29 AM

MD5 CANNOT be decrypted, as it's not encryption in the first place!

Yes, finding a string of some sort that hashes to the same value as the string we want is relatively simple, but that is not decryption.

RickM · 10-26-2006, 11:22 AM

Call it what you like...the fact is you can turn an MD5 string back to its origional state. End of story.

09-16-2006, 10:43 AM	THREAD STARTER #1 (permalink)
klavixs Account Suspended Join Date: Aug 2006 Location: Under a Bridge Posts: 200	Md5 encrypted passwords Warning to novices in php this is a pretty advanced script and should be used by a person who is very knowledge in php if you insist on useing it on a novice stage it's at your own risk. This scrypt checks a user inputed password and then encrypts it and checks the db's version of the md5 enc to see it is correct PHP Code: //str is the inputed password the user gave Function Encpass($str) { //this now encrypts the inputed password md5($str); //this checks the encrypted version of the inputed password //to the databases stored version to see if it's correct //change usrpass to whatever variable you use for the retrieved pass from db your checking if (md5($str) == $usrpass) { //in your script check, if Cvalue equals 2 and it's a correct pass $Cvalue = "2"; } else { //but if its a 1 it's incorrect password $Cvalue = "1"; } } //you should next check Cvalue to make sure it equals 2 //if you use this and like it a link to my website is appreciated but not required // my website is http://onfiretechnologies.com and it's an arcade of flash games // and has lots of cheat codes so use what ever relateing text you wish this next part is for user registration PHP Code: //this part is for user registration to encrypt password in md5 //stpass is the inputed password to encrypt Function CMd5Pass($stpass) { //npass is the new encrypted version of the orignal inputed pass $Npass = md5($stpass) ????: NamePros.com http://www.namepros.com/code/238391-md5-encrypted-passwords.html } //now to enter it in db. save the Npass variable to the db for password //if you use this and like it a link to my website is appreciated but not required // my website is http://onfiretechnologies.com and it's an arcade of flash games ????: NamePros.com http://www.namepros.com/showthread.php?t=238391 // and has lots of cheat codes so use what ever relateing text you wish

09-16-2006, 11:58 AM	#2 (permalink)
Noobie NamePros Regular Join Date: Feb 2006 Location: Montreal, Quebec, Canada Posts: 324	I'm confused but.... PHP Code: `md5($str); //that line does nothing ????: NamePros.com http://www.namepros.com/showthread.php?t=238391` run the script below you'll see. PHP Code: `<?php $str = "a"; md5($str); echo $str; ?>` The function is a little redundant but its a good way to advertise your site. __________________ Goldkey.com is a scam What's your BMI? \| Timestamp Generator

09-16-2006, 12:08 PM	#3 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,792	PHP Code: `if (md5($str) == $usrpass)` That wouldn't work. You'd have to make $usrpass a global variable or make it in your function's input. .. and for $Cvalue, I think it's more or less the same thing. You need to make it a global variable for it to be used outside of the function. ????: NamePros.com http://www.namepros.com/showthread.php?t=238391 The next code you posted just md5()'s the text and doesn't do anything with it.

09-16-2006, 02:59 PM	#5 (permalink)
sdsinc Domains my Dominion Join Date: Aug 2005 Location: Web 1.0 Posts: 9,955	A bit offtopic but isn't it best to use sha1 instead of md5 ? __________________ NameNewsletter.com - free lists of available domain names ZoneFiles.net (beta) - ccTLD and gTLD droplists

09-16-2006, 04:46 PM	#6 (permalink)
Noobie NamePros Regular Join Date: Feb 2006 Location: Montreal, Quebec, Canada Posts: 324	i've switched to sha1 __________________ Goldkey.com is a scam What's your BMI? \| Timestamp Generator

09-16-2006, 04:47 PM	#7 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,792	I know how to use md5()... You are using it inside of another function to do the same exact thing with a longer name and yours won't work. Read: http://us3.php.net/global

09-16-2006, 05:37 PM	#8 (permalink)
Barrucadu Senior Member Join Date: Aug 2005 Location: East Yorkshire, England Posts: 2,689 Follow @barrucadu	Heres a fixed version! PHP Code: `function Validate($str, $passwd){ ????: NamePros.com http://www.namepros.com/showthread.php?t=238391 if(md5($str) == $passwd){ return true; }else{ return false; } } function Hash($str){ return md5($str); }` __________________ Website \| Blog Arch Hurd developer; GNU Webmaster; FSF member #8385

10-20-2006, 04:34 PM	#9 (permalink)
Richard NamePros Regular Join Date: Jan 2006 Posts: 571	i highly suggest you don't use this code for MD5 encryption, extremely easy to crack (approx 1 - 3 seconds). In fact, you can crack it online at http://www.md5database.net/ to make it more secure you use a salt.

10-20-2006, 05:37 PM	#10 (permalink)
dhscott Senior Member Join Date: Apr 2006 Posts: 1,345	Look, Md5 is stupidly hard to hack so don't say it is. People have got lucky with matching words with md5 hashes, simple as. Using one or the other is not going to be sensible, the same result could happen. The best you could do is to put an md5 into an sha1 and into rot13 and into salt... Or simply just md5 the md5 hash...

10-20-2006, 06:38 PM	#12 (permalink)
Kadenz Resistance is Futile Join Date: Apr 2006 Location: Montreal, Canada Posts: 1,094 Follow @MitchellBundy	Well, you could encrypt something easily. Just keep on md5ing and salting and sha1ing until your computer crashes, so it's pretty hard to crack stuff. __________________ Freelance Web Developer PHP, MySQL, XHTML, CSS, Javascript, jQuery, Wordpress Portfolio: www.bundy.ca

10-20-2006, 07:23 PM	#13 (permalink)
Tree NamePros Regular Join Date: Feb 2006 Location: Atlanta, GA, USA Posts: 335	I just use md5 -> salt (700-7000 chars) -> sha1 -> rot13 -> md5 Works for me.

10-21-2006, 06:49 AM	#14 (permalink)
TwistMyArm NamePros Member Join Date: May 2006 Posts: 160	Just to add my two cents worth: MD5 is NOT an encryption process, it's a hashing process. Please, especially when using a "pretty advanced script" (sic) such as this, can we at least use the correct terminology? __________________ Free Fuel Efficiency Calculator \| Buy CMS Templates

10-21-2006, 02:13 PM	#15 (permalink)
Tree NamePros Regular Join Date: Feb 2006 Location: Atlanta, GA, USA Posts: 335	Good point. Encryption processes can be decrypted using a standard algorithm. Hashes cannot.

10-25-2006, 08:52 PM	#17 (permalink)
Richard NamePros Regular Join Date: Jan 2006 Posts: 571	lmao, i have a 15 digit hash, md5database.net decrypts it straight away :S. but if i use md5 then md5 and salt over that, it cant... that is much stronger. (type of hash ipb uses etc)

10-26-2006, 01:58 AM	#18 (permalink)
JBebbington NamePros Regular Join Date: Sep 2006 Posts: 634	You do not get that there are billions of combinations, and md5database is very incomplete, there is a small chance that it has a standard dictionary word, but a mixed case, mixed character, and completely random string it will not decode.

10-26-2006, 02:23 AM	#19 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	md5database does not crack the MD5 keys, it has a database of keys people have entered...it only retrieves the already cracked info. If i enter "1234" into it to be encoded, that then gets added to their database. For example, i entered "88a712d55763cc29bb2986bba2493408" ("fgsg4352gv") into the decoder and it found nothing, but if i enter "fgsg4352gv" into the encoder it will then be added to the database. To crack a md5 line takes quite a while...i created a script to do it and it took the script all day to crack a 5 char string. The best way to protect yourself is double md5, salt or SH1 (but even SH1 can be cracked). I've put together an encryption tool below, feel free to use it on your localhost to test out passwords and stuff PHP Code: <?php if($_POST['submit']) { $username=htmlspecialchars(addslashes($_POST['username'])); $password=htmlspecialchars($_POST['password']); //Simple MD5 $password2=md5($password); //Double MD5 $password3=md5(md5($password)); //Almost foolproof, MD5, SHA1, MD5, SHA1 $password4=md5(sha1(md5(sha1($password)))); //Alternativly use a "salt" string (random 3 characters for each user in the database that is added to the begining or end of the encryption. Example below: $salt="&~/"; //Normaly this comes from the DB but im just doing an example here. $password5=md5($password.$salt); ????: NamePros.com http://www.namepros.com/showthread.php?t=238391 ????: NamePros.com http://www.namepros.com/showthread.php?t=238391 //Now i'll echo it all out into a nice little document :) echo"<strong>RMWebs.net MD5 Tool</strong><br />You Entered The Following Information:<br /><strong>Username:</strong> ".$username."<br /><strong>Password:</strong> ".$password."<br /><br /> Here is the result of different methods of encryption:<br /><br /> <strong>Simple MD5:</strong> ".$password2."<br /> <strong>Double MD5:</strong> ".$password3."<br /> <strong>MD5-SHA1-MD5-SHA1:</strong> ".$password4."<br /> <strong>MD5+Salt:</strong> ".$password5."<br /> <br /> <strong>Recommended Use:</strong> MD5+Salt<br /> <strong>Most easy to crack:</strong> Simple MD5 followed by Double MD5<br /><br /> <font size=\"1\"><a href=\"http://www.rmwebs.net\">More usefull code and tools at RMWebs.net</a></font>"; }else { ?> <form action="" method="POST"> Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password" /><br /> <input type="submit" name="submit" value="Go!" /> </form> <?php } ?> __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

10-26-2006, 03:17 AM	#20 (permalink)
Barrucadu Senior Member Join Date: Aug 2005 Location: East Yorkshire, England Posts: 2,689 Follow @barrucadu	I dont particularly like MD5, mainly because of md5 databases. I do however, have to use it because phpbb2 uses MD5 and I cant be bothered to rehash all the passwords, lol. This is my preferred method when hashing passwords: PHP Code: `$hash = base64_encode(rot13(md5(sha1($password).$salt)).sha1($password.md5($password)).$password); ????: NamePros.com http://www.namepros.com/showthread.php?t=238391` __________________ Website \| Blog Arch Hurd developer; GNU Webmaster; FSF member #8385

10-26-2006, 04:03 AM	#21 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Good method there...very secure Heres another one...pretty much uncrackable (well...unless you can figure out a way to decode over 11 characters at a time) PHP Code: `$hash=md5(sh1(str_rot13(md5(md5(md5($password.md5(sh1($password.$salt)))))))); ????: NamePros.com http://www.namepros.com/showthread.php?t=238391` If you can crack that then you are very desperate __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

10-26-2006, 10:29 AM	#24 (permalink)
TwistMyArm NamePros Member Join Date: May 2006 Posts: 160	MD5 CANNOT be decrypted, as it's not encryption in the first place! Yes, finding a string of some sort that hashes to the same value as the string we want is relatively simple, but that is not decryption. __________________ Free Fuel Efficiency Calculator \| Buy CMS Templates

10-26-2006, 11:22 AM	#25 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Call it what you like...the fact is you can turn an MD5 string back to its origional state. End of story. __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)