Md5()

asgsoft · 03-04-2006, 01:29 PM

MD5, a hash encrytion of texts. although it is supposed to be uncovertable it can be converted back recently. it is a very easy function to use but uesed a lot in sending encrypted data and storing it, like this forum it uses it to store passwords. this is how it works:

PHP Code:

  $text="test text";

$encrypted= md5($text);

echo $encrypted;

this will ouput 1e2db57dd6527ad4f8f281ab028d2c70. but to make it more secure like what IPB does it to double encypt it. so it looks like this:
????: NamePros.com http://www.namepros.com/webmaster-tutorials/173486-md5.html

PHP Code:

  $text="test text";

$encrypted= md5(md5($text));

echo $encrypted;

this will output: a932721fa7514980123ca95f1e94cb47 which is harder to crack becuase it is an encrytption of an encryptiom.

hope that helps.

RickM · 05-10-2006, 06:53 AM

A better sollution is sh1

it works exactly the same as md5 except you replace md5 with sh1.

Combine this with ROT13 and salt and you have secure encryption

asgsoft · 05-10-2006, 09:46 AM

do you have any code examples?

dhscott · 05-10-2006, 11:29 AM

The only things I can think of that would require MD5() are for logins. For that you need a database, MySQL goes well with PHP.

An example I found on the net can be found here. I haven't tried it out yet, but I intend to later on just to see how it works. It requires MySQL.

Judging by reading the summary, it MD5's on the clientside and macthes it up on the serverside instead of sending a plain-text password as it were... I'm confused now!

Bah, i'll find an easier example that's easy to get!

asgsoft · 05-10-2006, 12:36 PM

I ment for rmwebs's post?

How will the code look like?

dhscott · 05-10-2006, 01:14 PM

D'oh! Didn't see you wrote the thread!

Not familiar with ROT13 either, what is this?

Tree · 05-10-2006, 03:54 PM

ROT13 advances letters thirteen characters.

a = n
b = o
c = p
etc, etc.

More on MD5
Too much about MD5

**Eric** · 05-10-2006, 05:18 PM

Originally Posted by rmwebs

A better sollution is sh1

it works exactly the same as md5 except you replace md5 with sh1.

Combine this with ROT13 and salt and you have secure encryption

I believe you mean sha1

????: NamePros.com http://www.namepros.com/showthread.php?t=173486

www.php.net/sha1

kiore · 05-11-2006, 04:22 AM

Originally Posted by rmwebs

Combine this with ROT13 and ...

Better still, for extra security, double encrypt with ROT13.

J4m!3 · 05-11-2006, 09:47 AM

Wow im confused lol

RickM · 05-31-2006, 07:22 AM

*a little bumpy update*

SHA1:

PHP Code:

  <?php    

if($_POST['go'] == 'Go')

{

    echo sha1($_POST['text']);

} else {

echo "<form method='post' action='encrypt.php'>

<input type='text' name='text'> <input type='submit' name='go' value='Go'>

</form>";

}

?>

That gives the SHA1 output.
For extra security:

PHP Code:

  <?php    

if($_POST['go'] == 'Go')

????: NamePros.com http://www.namepros.com/showthread.php?t=173486
{

    echo sha1(md5(str_rot13($_POST['text'])));

} else {

echo "<form method='post' action='encrypt.php'>

<input type='text' name='text'> <input type='submit' name='go' value='Go'>

</form>";

}

?>

The above will do SHA1, MD5 and then ROT13

dchesterton · 05-31-2006, 08:35 AM

Quote:

although it is supposed to be uncovertable it can be converted back recently

This statement is 100% false. You cannot convert back MD5, it is true that collisions have been found but all that means is that two different strings produce the same hash. They are still nearly impossible to find.

Any encryption is prone to dictionary attacks if you don't include a salt. An MD5 encryption with a salt will be more than enough for many sites out there although if you are serious about security I would recommend hashing with SHA256 or even SHA512 and including a pre-set SALT that only you know and a random SALT which will be stored in the database with the password. That way even if a user gets the hashed password and the SALT they still cannot use a dictionary attack as they do not have the secret salt that only you know.

Quote:

The only things I can think of that would require MD5() are for logins. For that you need a database, MySQL goes well with PHP.

An example I found on the net can be found here. I haven't tried it out yet, but I intend to later on just to see how it works. It requires MySQL.

Judging by reading the summary, it MD5's on the clientside and macthes it up on the serverside instead of sending a plain-text password as it were... I'm confused now!

You are correct that passwords are normally stored in a MySql database, but what if somebody (even a site admin) gains access to the database? The passwords are there in plain-text. If they are hashed (not encrypted, two totally different things) then it's impossible to find the users' password.

Unfortunately the password's will still be sent in plaintext from the client to the server, this is where SSL certificates are needed.

I have also heard, might not be completely true but if you hash an already hashed string it increases the chance of collisions. Don't ask me how though

????: NamePros.com http://www.namepros.com/showthread.php?t=173486

Hope that all made sense

RickM · 05-31-2006, 09:06 AM

Actualy, MD5 can be decrypted...it has only recently been found out though.

I wont post code up here that will prove this as i wouldnt want to create security problems for anyone, however i can assure you - MD5 is very decryptable...i have been able to decrypt upto 10 chars so far, and im sure others have got furthur.

I would appreciate it if people stopped PMing me asking for the code...regardless of your reasoning, i would prefer not to release it.

You can find it the same way i did...www.google.com

Scott · 05-31-2006, 02:24 PM

MD5 can't be decrypted... MD5 produces a cryptographic hash. A hash cannot be decrypted or "converted back". MD5 is still very safe if used with a salt.

NetworkTown.Net · 05-31-2006, 04:01 PM

Originally Posted by Scott

MD5 can't be decrypted... MD5 produces a cryptographic hash. A hash cannot be decrypted or "converted back". MD5 is still very safe if used with a salt.

well i just did a google search and found a site that can decrypt md5 i tried it and worked.

Scott · 05-31-2006, 04:22 PM

Originally Posted by gameztown

well i just did a google search and found a site that can decrypt md5 i tried it and worked.

OK. "Decrypt" this: 981d5552164c6b0865a9c161432c290e

dchesterton · 05-31-2006, 04:41 PM

Well please provide a link then. It is impossible to decrypt a hash, there is a difference between encryption and hashing. I'm guessing the site these people are referring to is http://www.md5decrypt.com/, try it with a string you have hashed and funnily enough it throws up an error, good isn't it! That site can only decrypt strings you have put into it, obviously it keeps a database of all strings entered and then tries to find a match.

When will you people learn that it's impossible to decrypt a proper md5 hash. It takes supercomputers weeks just to find a collision.

PoorDoggie · 06-01-2006, 01:00 PM

Originally Posted by Scott

OK. "Decrypt" this: 981d5552164c6b0865a9c161432c290e

heh... a very badly scripted error!

dhscott · 06-01-2006, 02:22 PM

If in doubt, hash it twice! (md5(md5))

I know wordpress does...

PoorDoggie · 06-01-2006, 02:31 PM

Originally Posted by qwhois

If in doubt, hash it twice! (md5(md5))
????: NamePros.com http://www.namepros.com/showthread.php?t=173486

I know wordpress does...

I do this:

PHP Code:

   
$str = "hello"; // string

 
$md5 = md5($str); // md5 the string

 
$new = substr($md5, 16).substr($md5, 0, 16); // put first 16 chars after first 16...

 
$last = md5($new); // md5 the resulting string...

but then again, maybe I am going over the top...

Tom

wackyjoe · 06-11-2006, 02:57 AM

md5() is decryptable, but it can take a while to do so depending on the chars. If it is combined with Aa1-10*#@#$% well it would take days to decrypt...if it is a simple "hello" it will take around 10mins maybe...

But yes people have been able to decrypt it through dictionary words, brute force attacks.

md5 and sha1 are both decryptable...if you really are that desperate i can show u a screen shot .. if it is allowed by the board admin ofcourse
????: NamePros.com http://www.namepros.com/showthread.php?t=173486

Linux decrypters are alot quicker then windows and they do it in nerly half the time aswell.

as mentioned above, you can prevent this by ofcourse using a salt.

No matter how much of an encryption you do create SOMEONE will be able to get around it someday

Scott · 06-11-2006, 03:00 AM

Originally Posted by wackyjoe

md5() is decryptable, but it can take a while to do so depending on the chars. If it is combined with Aa1-10*#@#$% well it would take days to decrypt...if it is a simple "hello" it will take around 10mins maybe...

But yes people have been able to decrypt it through dictionary words, brute force attacks.

????: NamePros.com http://www.namepros.com/showthread.php?t=173486
md5 and sha1 are both decryptable...if you really are that desperate i can show u a screen shot .. if it is allowed by the board admin ofcourse

Linux decrypters are alot quicker then windows and they do it in nerly half the time aswell.

No matter how much of an encryption you do create SOMEONE will be able to get around it someday

Originally Posted by Scott

OK. "Decrypt" this: 981d5552164c6b0865a9c161432c290e

wackyjoe · 06-11-2006, 03:18 AM

have sent you a PM

dhscott · 06-11-2006, 09:03 AM

If anyone thinks a encryption is unencryptable, you are clearly wrong. They thought enigma was unencryptable, but it wasn't. It took ages but it happened.

How about SSL encryption?

I heard it took a team of mathematicians 17 years to break one little line of code... (does anyone have a link to this story?)

What is the effectiveness of MD5 hash? It's 128 isn't it? SHA1 is 160-bits as well?

Put it simply, combine hash's and you shouldn't have any trouble, with anyone (For a long time atleast).

nick · 06-11-2006, 10:18 AM

doing md5(md5($string)) isn't necasarilly safer

03-04-2006, 01:29 PM	THREAD STARTER #1 (permalink)
asgsoft NamePros Regular Join Date: Sep 2005 Location: At Home Posts: 881	Md5() MD5, a hash encrytion of texts. although it is supposed to be uncovertable it can be converted back recently. it is a very easy function to use but uesed a lot in sending encrypted data and storing it, like this forum it uses it to store passwords. this is how it works: PHP Code: `$text="test text"; $encrypted= md5($text); echo $encrypted;` this will ouput 1e2db57dd6527ad4f8f281ab028d2c70. but to make it more secure like what IPB does it to double encypt it. so it looks like this: ????: NamePros.com http://www.namepros.com/webmaster-tutorials/173486-md5.html PHP Code: `$text="test text"; $encrypted= md5(md5($text)); echo $encrypted;` this will output: a932721fa7514980123ca95f1e94cb47 which is harder to crack becuase it is an encrytption of an encryptiom. hope that helps. __________________ Free SEO and Domain tools \|HTML ENT\| Your Source to expired domains with PageRank & tips

05-10-2006, 06:53 AM	#2 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	A better sollution is sh1 it works exactly the same as md5 except you replace md5 with sh1. Combine this with ROT13 and salt and you have secure encryption __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

05-10-2006, 09:46 AM	THREAD STARTER #3 (permalink)
asgsoft NamePros Regular Join Date: Sep 2005 Location: At Home Posts: 881	do you have any code examples? __________________ Free SEO and Domain tools \|HTML ENT\| Your Source to expired domains with PageRank & tips

05-10-2006, 12:36 PM	THREAD STARTER #5 (permalink)
asgsoft NamePros Regular Join Date: Sep 2005 Location: At Home Posts: 881	I ment for rmwebs's post? How will the code look like? __________________ Free SEO and Domain tools \|HTML ENT\| Your Source to expired domains with PageRank & tips

05-11-2006, 09:47 AM	#10 (permalink)
J4m!3 NamePros Member Join Date: Oct 2005 Location: Clevedon, UK Posts: 198	Wow im confused lol __________________ - Submit Gas Price related Pix & Rants @ PumpPanic.com -

05-10-2006, 11:29 AM	#4 (permalink)
dhscott Senior Member Join Date: Apr 2006 Posts: 1,345	The only things I can think of that would require MD5() are for logins. For that you need a database, MySQL goes well with PHP. An example I found on the net can be found here. I haven't tried it out yet, but I intend to later on just to see how it works. It requires MySQL. Judging by reading the summary, it MD5's on the clientside and macthes it up on the serverside instead of sending a plain-text password as it were... I'm confused now! Bah, i'll find an easier example that's easy to get!

05-10-2006, 01:14 PM	#6 (permalink)
dhscott Senior Member Join Date: Apr 2006 Posts: 1,345	D'oh! Didn't see you wrote the thread! Not familiar with ROT13 either, what is this?

05-10-2006, 03:54 PM	#7 (permalink)
Tree NamePros Regular Join Date: Feb 2006 Location: Atlanta, GA, USA Posts: 335	ROT13 advances letters thirteen characters. a = n b = o c = p etc, etc. More on MD5 Too much about MD5

05-31-2006, 07:22 AM	#11 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	a little bumpy update SHA1: PHP Code: `<?php if($_POST['go'] == 'Go') { echo sha1($_POST['text']); } else { echo "<form method='post' action='encrypt.php'> <input type='text' name='text'> <input type='submit' name='go' value='Go'> </form>"; } ?>` That gives the SHA1 output. For extra security: PHP Code: `<?php if($_POST['go'] == 'Go') ????: NamePros.com http://www.namepros.com/showthread.php?t=173486 { echo sha1(md5(str_rot13($_POST['text']))); } else { echo "<form method='post' action='encrypt.php'> <input type='text' name='text'> <input type='submit' name='go' value='Go'> </form>"; } ?>` The above will do SHA1, MD5 and then ROT13 __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

05-31-2006, 09:06 AM	#13 (permalink)
RickM Senior Member Join Date: Sep 2005 Location: Herts, UK Posts: 3,806	Actualy, MD5 can be decrypted...it has only recently been found out though. I wont post code up here that will prove this as i wouldnt want to create security problems for anyone, however i can assure you - MD5 is very decryptable...i have been able to decrypt upto 10 chars so far, and im sure others have got furthur. I would appreciate it if people stopped PMing me asking for the code...regardless of your reasoning, i would prefer not to release it. You can find it the same way i did...www.google.com __________________ Disney World Fans - Mobile Apps for your WDW Vacation! WSDReg - Affordable Domain Registration. Serving NP members since 2006! Hotel Site Script - 15% Discount for NP members with code 'NPROS'

05-31-2006, 02:24 PM	#14 (permalink)
Scott Senior Member Join Date: Jun 2003 Location: UK Posts: 3,541	MD5 can't be decrypted... MD5 produces a cryptographic hash. A hash cannot be decrypted or "converted back". MD5 is still very safe if used with a salt.

05-31-2006, 04:41 PM	#17 (permalink)
dchesterton NamePros Member Join Date: Aug 2005 Location: Essex, UK Posts: 139 Follow @dchesterton	Well please provide a link then. It is impossible to decrypt a hash, there is a difference between encryption and hashing. I'm guessing the site these people are referring to is http://www.md5decrypt.com/, try it with a string you have hashed and funnily enough it throws up an error, good isn't it! That site can only decrypt strings you have put into it, obviously it keeps a database of all strings entered and then tries to find a match. When will you people learn that it's impossible to decrypt a proper md5 hash. It takes supercomputers weeks just to find a collision. __________________ Chesterton Web Development Professional Web Development and Design Services

06-01-2006, 02:22 PM	#19 (permalink)
dhscott Senior Member Join Date: Apr 2006 Posts: 1,345	If in doubt, hash it twice! (md5(md5)) I know wordpress does...

06-11-2006, 02:57 AM	#21 (permalink)
wackyjoe NamePros Regular Join Date: Dec 2005 Posts: 210	md5() is decryptable, but it can take a while to do so depending on the chars. If it is combined with Aa1-10#@#$% well it would take days to decrypt...if it is a simple "hello" it will take around 10mins maybe... But yes people have been able to decrypt it through dictionary words, brute force attacks. md5 and sha1 are both decryptable...if you really are that desperate i can show u a screen shot .. if it is allowed by the board admin ofcourse ????: NamePros.com http://www.namepros.com/showthread.php?t=173486 Linux decrypters are alot quicker then windows and they do it in nerly half the time aswell. as mentioned above, you can prevent this by ofcourse using a salt. No matter how much of an encryption you do create SOMEONE will be able to get around it someday Last edited by wackyjoe; 06-11-2006 at 03:05 AM.*

06-11-2006, 03:18 AM	#23 (permalink)
wackyjoe NamePros Regular Join Date: Dec 2005 Posts: 210	have sent you a PM

06-11-2006, 09:03 AM	#24 (permalink)
dhscott Senior Member Join Date: Apr 2006 Posts: 1,345	If anyone thinks a encryption is unencryptable, you are clearly wrong. They thought enigma was unencryptable, but it wasn't. It took ages but it happened. How about SSL encryption? I heard it took a team of mathematicians 17 years to break one little line of code... (does anyone have a link to this story?) What is the effectiveness of MD5 hash? It's 128 isn't it? SHA1 is 160-bits as well? Put it simply, combine hash's and you shouldn't have any trouble, with anyone (For a long time atleast).

06-11-2006, 10:18 AM	#25 (permalink)
nick NamePros Regular Join Date: Jun 2004 Location: Iowa City Posts: 703	doing md5(md5($string)) isn't necasarilly safer __________________ formally ninedogger ------ Want to talk to a stranger? -->\| Click Here \| TalkToAStranger.com \| <-- Meet New Friends

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Md5	faisj	Programming	2	11-15-2005 09:29 PM
md5 table	axilant	Programming	4	06-29-2005 08:17 PM
MD5 or SHA1, which do you prefer?	nicholas	CODE	15	11-05-2004 12:00 PM