Md5 encrypted passwords

[klavixs]

Warning to novices in php this is a pretty advanced script and should be used by a person who is very knowledge in php if you insist on useing it on a novice stage it's at your own risk.

This scrypt checks a user inputed password and then encrypts it and checks the db's version of the md5 enc to see it is correct

//str is the inputed password the user gave
Function Encpass($str)

{

//this now encrypts the inputed password
md5($str);

//this checks the encrypted version of the inputed password
//to the databases stored version to see if it's correct
//change usrpass to whatever variable you use for the retrieved pass from db your checking
if (md5($str) == $usrpass)
 
 {
  //in your script check, if Cvalue equals 2 and it's a correct pass
  $Cvalue = "2";
 
  }
 
  else
  {
  //but if its a 1 it's incorrect password
  $Cvalue = "1";
  }

}
//you should next check Cvalue to make sure it equals 2
//if you use this and like it a link to my website is appreciated but not required
// my website is http://onfiretechnologies.com and it's an arcade of flash games 
// and has lots of cheat codes so use what ever relateing text you wish

this next part is for user registration

//this part is for user registration to encrypt password in md5
//stpass is the inputed password to encrypt
Function CMd5Pass($stpass)
{
//npass is the new encrypted version of the orignal inputed pass
$Npass = md5($stpass)
}

//now to enter it in db. save the Npass variable to the db for password
//if you use this and like it a link to my website is appreciated but not required
// my website is http://onfiretechnologies.com and it's an arcade of flash games 
// and has lots of cheat codes so use what ever relateing text you wish

 

[lee101]

if it is so easily decryptable then could someone please decrypt this hash please:

4C7C835D244453B9A29D397E5CD973FD

If it was so easily decryptable then it would be the ultimate in compression, as a hash can be taken of files, so imagine turning a 4 gig movie into a 32 byte string?

 

[TwistMyArm]

rmwebs: no offence, but you can't. lee101 is right. Even if you can reverse an MD5 hash to a value, you don't know for sure that that is the original string. I'll be the first to admit that I haven't been keeping up with reversing MD5 hashes but I know for a fact that what you end up with is not guaranteed to be the same as the original starting string. All references to breaking MD5 that I have seen are about finding strings that have the same hash as the original.

Now I know that this doesn't make any real difference to hashed passwords (as if the code is just comparing the hash of one string to that of another, you need the hashes to match only) but it is important that everyone in the discussion understand exactly what's being discussed.

 

[neroux]

Actualy MD5 CAN be decrypted...and pretty easily at that.

Well, if its that easy please tell me the original data of the following hash and I pay you US$20

6d099b839e50c2e6138789b360aecdd0

 

[mvl]

MD5 is a hash so it can by definition not be decrypted. MD5 can be attacked however, but most of that is avoidable by adding salt or MD4-ing the hash itself.

 

[Jim_]

Call it what you like...the fact is you can turn an MD5 string back to its origional state. End of story.

original*

Anyway, there is no way to decrypt or turn an MD5 string back to it's original state. You can only brute-force it. The act of brute forcing is basically just taking a bunch of guesses until you find a match.

Of course, people have generated lists of common passwords and their hashes as well as rainbow, which will help discover simple passwords using basic character sets, but is easily defeated by salting and multi-layer hashing.

There is no possible way to just 'decrypt', 'decode', 'revert', 'reverse', or (call it what you like) a hash string. End of story.


...

Back on topic, what makes this such an advanced script? lol. It doesn't actually do anything.

 

[lee101]

i know this is off topic, but, imagine in the future when processors are millions times better than they are now, by using something similar to a md5 hash, and if computers were quick enough use a brute force attack to decode it, then in say a few seconds you could get virtually all the possible results, you choose the one you want and thenit is decoded into the original file, thus removing the need for larger and larger hard drives, and even high speed internet, by just using a hell of a lot of hashes, obviously htere are probably flaws in that, but it was just a thought i had

 

[RickM]

original*

Anyway, there is no way to decrypt or turn an MD5 string back to it's original state. You can only brute-force it. The act of brute forcing is basically just taking a bunch of guesses until you find a match.

Of course, people have generated lists of common passwords and their hashes as well as rainbow, which will help discover simple passwords using basic character sets, but is easily defeated by salting and multi-layer hashing.

There is no possible way to just 'decrypt', 'decode', 'revert', 'reverse', or (call it what you like) a hash string. End of story.


...

Back on topic, what makes this such an advanced script? lol. It doesn't actually do anything.

You don't know how wrong you are...

I'm not going to argue with you; but it can and has been done...it takes a long time to get the string, but it can be done.

 

[TwistMyArm]

You can definitely get A string, but you can't prove that it's THE string.

 

[Jim_]

You don't know how wrong you are...

I'm not going to argue with you; but it can and has been done...it takes a long time to get the string, but it can be done.

That's just finding a matching collision. Takes forever and theres no way to prove that the result is the data originally hashed.

You have no idea how rude you come off.

 

[Keral_Patel]

Given a MD5 string for less then 14 original characters I can decrypt it.

The problem is that my PC is not supporting the multiples of more then 14 characters. It hangs my PC

 

[neroux]

You don't know how wrong you are...

I'm not going to argue with you; but it can and has been done...it takes a long time to get the string, but it can be done.

As I said, tell me the original data of

6d099b839e50c2e6138789b360aecdd0

and I pay US$ 20.

Given a MD5 string for less then 14 original characters I can decrypt it.

The problem is that my PC is not supporting the multiples of more then 14 characters. It hangs my PC

Its was never said that MD5 is not vulnerable too brute force attacks, but each enryption/hashing method is that.

I will pay you US$5 as well, if you can actually decrypt (which shouldnt be possible with a hash, but maybe we learn something new today) this hash in a reasonable time

8a9e4a2e5c862322789d22f9d4ced72c

Its less then 14 characters and upon a successful "decryption" I will need to know the exact methods and steps you used.

 

[tm]

You can't decrypt md5.. only brute force it.

Make it safer by md5'ing it twice, or maybe adding another encryption method like salt/sha1.

//edit oh and lee101 the string you provided isn't even an md5.

 

[RickM]

Firstly, theres no way in a million years i would share how to do it...if more people know how to do it, more people loose passwords to script kiddies.

Secondly, I am not going to do this...why?

Well firstly I don't like being spoken to like something that came out of your rear end.
Secondly it would take around 2 days as the script is VERY slow (as nick_mayhem has already stated).
And finally, i don't need to prove myself to some ignorant person who wont accept reality...remember when MD4 was cracked...

There are several sites on the internet with teams of people who have been cracking MD5. Some of them are using their own cracking software, some of them use a widely available tool to do it...if you are smart enough you can probably find this tool using Google.

Edit: Oh, and another thing...the US government used SH-1 until recently...if you read into WHY they switched it was because not just MD5, but SH1 has also been compromised

 

[tm]

Firstly, theres no way in a million years i would share how to do it...if more people know how to do it, more people loose passwords to script kiddies.

Secondly, I am not going to do this...why?

Well firstly I don't like being spoken to like something that came out of your rear end.
Secondly it would take around 2 days as the script is VERY slow (as nick_mayhem has already stated).
And finally, i don't need to prove myself to some ignorant person who wont accept reality...remember when MD4 was cracked...

There are several sites on the internet with teams of people who have been cracking MD5. Some of them are using their own cracking software, some of them use a widely available tool to do it...if you are smart enough you can probably find this tool using Google.

That sounds like you're brute forcing it... which means going through each possible combination to see if that's the string. This isn't the same as decrypting. If this is wrong, please, tell me.

 

[RickM]

Nope, not brute forcing (although that is much easier than reversing it).

 

[lee101]

//edit oh and lee101 the string you provided isn't even an md5.

Oops, was meant to be the checksum of ubuntu server, obviously not then, take 2:

5ad76d8b380ab5be713e5daa9ea84475

 

[neroux]

Firstly, theres no way in a million years i would share how to do it...if more people know how to do it, more people loose passwords to script kiddies.

Secondly, I am not going to do this...why?

Well firstly I don't like being spoken to like something that came out of your rear end.
Secondly it would take around 2 days as the script is VERY slow (as nick_mayhem has already stated).
And finally, i don't need to prove myself to some ignorant person who wont accept reality...remember when MD4 was cracked...

Boy, why do you have to make such a fool out of yourself? You have been multiple times told that it is not possible to "decrypt" MD5, you can only use brute force methods - which is apparently what you "would like" to use, but thats no cracking.

You were even offered money to crack such an - according to you - easy hash and failed nonetheless to come up with the "decrypted" data. You werent even asked to show a how-to but only the decrypted data in reasonable time.

Furthermore you try now to be cool cracker guy from the streets who doesnt need to share his magic - actually this seems very much like the script kiddies you were referring to - and becomes offensive when he is shown that his statements are obviously wrong.

For the last time, MD5 has its weaknesses (especially about collisions) but nonetheless cannot be "decrypted". All you can do is using brute force methods, and these can be used on any hash and encryption method.

 

[Kate]

You can't decrypt md5.. only brute force it.

Make it safer by md5'ing it twice, or maybe adding another encryption method like salt/sha1.

//edit oh and lee101 the string you provided isn't even an md5.

Applying md5 on a md5 hash is not safer, it may actually increase the likelyhood of a collision.
The best defense is enforcing strong passwords that will resist brute force attack or at least make them time-consuming/computationally intensive (more than 8 chars and using special characters).
For example if you have a password like 4321 the corresponding md5 hash can be brute-forced in one second... on the other hand if the password is something like n4f5#p-u!ja_8 then it's going to take much longer

Many people use numbers only (like DOB) and short words, these passwords are very quick to find. It also means that if your phpbb/vbb db is compromised a hacker can get the weak passwords in very little time.

Also it is better to use sha1 instead of md5 if possible.

 

[RickM]

Boy, why do you have to make such a fool out of yourself? You have been multiple times told that it is not possible to "decrypt" MD5, you can only use brute force methods - which is apparently what you "would like" to use, but thats no cracking.

You were even offered money to crack such an - according to you - easy hash and failed nonetheless to come up with the "decrypted" data. You werent even asked to show a how-to but only the decrypted data in reasonable time.

Furthermore you try now to be cool cracker guy from the streets who doesnt need to share his magic - actually this seems very much like the script kiddies you were referring to - and becomes offensive when he is shown that his statements are obviously wrong.

For the last time, MD5 has its weaknesses (especially about collisions) but nonetheless cannot be "decrypted". All you can do is using brute force methods, and these can be used on any hash and encryption method.

Me making a fool out of myself? Thats rich.

I'm not trying "to be cool cracker guy from the streets", the fact is it can be cracked and I'm not willing to share how...if you had half a brain cell you would Google it. I'm not being offensive by refusing to do as you asked...I'm just not willing to go to such a level.

I really couldn't give a monkeys back side if you believe me or not, thats not my problem.

 

[Barrucadu]

rmwebs, you are making a fool of yourself. MD5 cannot be cracked at it is not encryption! It is a hash, and there is no such thing as "unhashing". The only thing you can do is brute force it.

 

[neroux]

Me making a fool out of myself? Thats rich.

I'm not trying "to be cool cracker guy from the streets", the fact is it can be cracked and I'm not willing to share how...if you had half a brain cell you would Google it. I'm not being offensive by refusing to do as you asked...I'm just not willing to go to such a level.

I really couldn't give a monkeys back side if you believe me or not, thats not my problem.

Continuing making statements which dont stand a second doesnt make them truer.

As I said you have been numerously times told by several people that it is impossible to reverse an MD5 hash. What you are probably talking about all the time is brute force, but this is no cracking and can be applied on any encryption and hashing method (how many times do I have to repeat this?).

And yes you are actually making a fool out of yourself by continuing to make such ridiculous statements without delivering any proof for it - your rude and offensive behaviour is just backing up that.

 

[TwistMyArm]

To be fair, there are applications out there that claim to be MD5 crackers and in theory, from the user's point of view at least, it is quite fast. The only reason for this, though, is that essentially all of the hard work is done already (see Project RainbowCrack).

The hashes are already stored in a huge table: when the user wants to crack an MD5, they do a look up.

rmwebs: two final questions from me, then.
1) Does your 'MD5 cracking' work still when the original hashing was salted?
2) How do you know that the result is not something that just has the same hash as what you were looking for originally?

 

[sote]

What would happen if I didn't hash passwords in my database?

 

[Barrucadu]

What would happen if I didn't hash passwords in my database?

If someone guessed your database password, they would be able to see all passwords.

 

[Keral_Patel]

Why someone is not just giving me a 10 character MD5.

With a-z 0-9 in it. So that I can see if my code is working or not. :D