Md5 encrypted passwords

[klavixs]

Warning to novices in php this is a pretty advanced script and should be used by a person who is very knowledge in php if you insist on useing it on a novice stage it's at your own risk.

This scrypt checks a user inputed password and then encrypts it and checks the db's version of the md5 enc to see it is correct

//str is the inputed password the user gave
Function Encpass($str)

{

//this now encrypts the inputed password
md5($str);

//this checks the encrypted version of the inputed password
//to the databases stored version to see if it's correct
//change usrpass to whatever variable you use for the retrieved pass from db your checking
if (md5($str) == $usrpass)
 
 {
  //in your script check, if Cvalue equals 2 and it's a correct pass
  $Cvalue = "2";
 
  }
 
  else
  {
  //but if its a 1 it's incorrect password
  $Cvalue = "1";
  }

}
//you should next check Cvalue to make sure it equals 2
//if you use this and like it a link to my website is appreciated but not required
// my website is http://onfiretechnologies.com and it's an arcade of flash games 
// and has lots of cheat codes so use what ever relateing text you wish

this next part is for user registration

//this part is for user registration to encrypt password in md5
//stpass is the inputed password to encrypt
Function CMd5Pass($stpass)
{
//npass is the new encrypted version of the orignal inputed pass
$Npass = md5($stpass)
}

//now to enter it in db. save the Npass variable to the db for password
//if you use this and like it a link to my website is appreciated but not required
// my website is http://onfiretechnologies.com and it's an arcade of flash games 
// and has lots of cheat codes so use what ever relateing text you wish

 

[Noobie]

I'm confused but....

md5($str); //that line does nothing

run the script below you'll see.

<?php
$str = "a";
md5($str);
echo $str;
?>

The function is a little redundant but its a good way to advertise your site.

 

[Dan]

if (md5($str) == $usrpass)

That wouldn't work. You'd have to make $usrpass a global variable or make it in your function's input.

.. and for $Cvalue, I think it's more or less the same thing. You need to make it a global variable for it to be used outside of the function.

The next code you posted just md5()'s the text and doesn't do anything with it.

 

[klavixs]

the following is from www.w3schools.com

Definition and Usage

The md5() function calculates the MD5 hash of a string.

The md5() function uses the RSA Data Security, Inc. MD5 Message-Digest Algorithm.

From RFC 1321 - The MD5 Message-Digest Algorithm: "The MD5 message-digest algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA."

This function returns the calculated MD5 hash on success, or FALSE on failure.
Syntax

md5(string,raw)


Parameter Description
string Required. The string to be calculated
raw Optional. Specifies hex or binary output format:

* TRUE - Raw 16 character binary format
* FALSE - Default. 32 character hex number

Note: This parameter was added in PHP 5.0

Example 1

<?php
$str = "Hello";
echo md5($str);
?>

The output of the code above will be:

8b1a9953c4611296a827abf8c47804d7


Example 2

In this example we will print the result of md5() and then test it:

<?php
$str = "Hello";
echo md5($str);

if (md5($str) == '8b1a9953c4611296a827abf8c47804d7')
{
echo "<br />Hello world!";
exit;
}
?>

The output of the code above will be:

8b1a9953c4611296a827abf8c47804d7
Hello world!

you might be right about the globals but it was a quick throw together for a friend

 

[Kate]

A bit offtopic but isn't it best to use sha1 instead of md5 ?

 

[Noobie]

i've switched to sha1

 

[Dan]

I know how to use md5()...

You are using it inside of another function to do the same exact thing with a longer name and yours won't work.

Read: http://us3.php.net/global

 

[Barrucadu]

Heres a fixed version!

function Validate($str, $passwd){
     if(md5($str) == $passwd){
          return true;
     }else{
          return false;
     }
}

function Hash($str){
     return md5($str);
}

 

[Richard]

i highly suggest you don't use this code for MD5 encryption, extremely easy to crack (approx 1 - 3 seconds). In fact, you can crack it online at http://www.md5database.net/ :P to make it more secure you use a salt.

 

[dhscott]

Look, Md5 is stupidly hard to hack so don't say it is. People have got lucky with matching words with md5 hashes, simple as.

Using one or the other is not going to be sensible, the same result could happen.

The best you could do is to put an md5 into an sha1 and into rot13 and into salt...

Or simply just md5 the md5 hash...

 

[Dan]

Or simply just md5 the md5 hash...

Bingo.

 

[Kadenz]

Well, you could encrypt something easily. Just keep on md5ing and salting and sha1ing until your computer crashes, so it's pretty hard to crack stuff.

 

[Tree]

I just use md5 -> salt (700-7000 chars) -> sha1 -> rot13 -> md5

Works for me.

 

[TwistMyArm]

Just to add my two cents worth: MD5 is NOT an encryption process, it's a hashing process.

Please, especially when using a "pretty advanced script" (sic) such as this, can we at least use the correct terminology?

 

[Tree]

Good point. Encryption processes can be decrypted using a standard algorithm. Hashes cannot.

 

[neroux]

i highly suggest you don't use this code for MD5 encryption, extremely easy to crack (approx 1 - 3 seconds). In fact, you can crack it online at http://www.md5database.net/ :P to make it more secure you use a salt.

MD5 has its weaknesses, but it cannot be cracked in 3 second by far.

 

[Richard]

lmao, i have a 15 digit hash, md5database.net decrypts it straight away :S.

but if i use md5 then md5 and salt over that, it cant... that is much stronger. (type of hash ipb uses etc)

 

[JBebbington]

You do not get that there are billions of combinations, and md5database is very incomplete, there is a small chance that it has a standard dictionary word, but a mixed case, mixed character, and completely random string it will not decode.

 

[RickM]

md5database does not crack the MD5 keys, it has a database of keys people have entered...it only retrieves the already cracked info. If i enter "1234" into it to be encoded, that then gets added to their database. For example, i entered "88a712d55763cc29bb2986bba2493408" ("fgsg4352gv") into the decoder and it found nothing, but if i enter "fgsg4352gv" into the encoder it will then be added to the database.

To crack a md5 line takes quite a while...i created a script to do it and it took the script all day to crack a 5 char string.

The best way to protect yourself is double md5, salt or SH1 (but even SH1 can be cracked).

I've put together an encryption tool below, feel free to use it on your localhost to test out passwords and stuff

  <?php

if($_POST['submit']) {

$username=htmlspecialchars(addslashes($_POST['username']));
$password=htmlspecialchars($_POST['password']);

//Simple MD5
$password2=md5($password);

//Double MD5
$password3=md5(md5($password));

//Almost foolproof, MD5, SHA1, MD5, SHA1
$password4=md5(sha1(md5(sha1($password))));

//Alternativly use a "salt" string (random 3 characters for each user in the database that is added to the begining or end of the encryption. Example below:
$salt="&~/"; //Normaly this comes from the DB but im just doing an example here.
$password5=md5($password.$salt);

//Now i'll echo it all out into a nice little document :)
echo"<strong>RMWebs.net MD5 Tool</strong><br />You Entered The Following Information:<br /><strong>Username:</strong> ".$username."<br /><strong>Password:</strong> ".$password."<br /><br />
Here is the result of different methods of encryption:<br /><br />

<strong>Simple MD5:</strong> ".$password2."<br />
<strong>Double MD5:</strong> ".$password3."<br />
<strong>MD5-SHA1-MD5-SHA1:</strong> ".$password4."<br />
<strong>MD5+Salt:</strong> ".$password5."<br />
<br />
<strong>Recommended Use:</strong> MD5+Salt<br />
<strong>Most easy to crack:</strong> Simple MD5 followed by Double MD5<br /><br />

<font size=\"1\"><a href=\"http://www.rmwebs.net\">More usefull code and tools at RMWebs.net</a></font>";


}else {
?>
<form action="" method="POST">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="submit" value="Go!" />
</form>
<?php } ?>

 

[Barrucadu]

I dont particularly like MD5, mainly because of md5 databases. I do however, have to use it because phpbb2 uses MD5 and I cant be bothered to rehash all the passwords, lol.

This is my preferred method when hashing passwords:

$hash = base64_encode(rot13(md5(sha1($password).$salt)).sha1($password.md5($password)).$password);

 

[RickM]

Good method there...very secure

Heres another one...pretty much uncrackable (well...unless you can figure out a way to decode over 11 characters at a time)

$hash=md5(sh1(str_rot13(md5(md5(md5($password.md5(sh1($password.$salt))))))));

If you can crack that then you are very desperate :P

 

[neroux]

lmao, i have a 15 digit hash, md5database.net decrypts it straight away :S.

but if i use md5 then md5 and salt over that, it cant... that is much stronger. (type of hash ipb uses etc)

MD5 cannot be decrypted. The site you mentioned just has a list of some MD5 values with the respective data, on which it performs a lookup, this can be achieved with each hash method.

 

[RickM]

MD5 cannot be decrypted. The site you mentioned just has a list of some MD5 values with the respective data, on which it performs a lookup, this can be achieved with each hash method.

Actualy MD5 CAN be decrypted...and pretty easily at that.

 

[TwistMyArm]

MD5 CANNOT be decrypted, as it's not encryption in the first place!

Yes, finding a string of some sort that hashes to the same value as the string we want is relatively simple, but that is not decryption.

 

[RickM]

Call it what you like...the fact is you can turn an MD5 string back to its origional state. End of story.