Md5()

[asgsoft]

MD5, a hash encrytion of texts. although it is supposed to be uncovertable it can be converted back recently. it is a very easy function to use but uesed a lot in sending encrypted data and storing it, like this forum it uses it to store passwords. this is how it works:

$text="test text";
$encrypted= md5($text);
echo $encrypted;

this will ouput 1e2db57dd6527ad4f8f281ab028d2c70. but to make it more secure like what IPB does it to double encypt it. so it looks like this:

$text="test text";
$encrypted= md5(md5($text));
echo $encrypted;

this will output: a932721fa7514980123ca95f1e94cb47 which is harder to crack becuase it is an encrytption of an encryptiom.

hope that helps.

 

[RickM]

A better sollution is sh1

it works exactly the same as md5 except you replace md5 with sh1.

Combine this with ROT13 and salt and you have secure encryption

 

[asgsoft]

do you have any code examples?

 

[dhscott]

The only things I can think of that would require MD5() are for logins. For that you need a database, MySQL goes well with PHP.

An example I found on the net can be found here. I haven't tried it out yet, but I intend to later on just to see how it works. It requires MySQL.

Judging by reading the summary, it MD5's on the clientside and macthes it up on the serverside instead of sending a plain-text password as it were... I'm confused now!

Bah, i'll find an easier example that's easy to get!

 

[asgsoft]

I ment for rmwebs's post?

How will the code look like?

 

[dhscott]

D'oh! Didn't see you wrote the thread!

Not familiar with ROT13 either, what is this?

 

[Tree]

ROT13 advances letters thirteen characters.

a = n
b = o
c = p
etc, etc.

More on MD5
Too much about MD5

 

[Eric]

A better sollution is sh1

it works exactly the same as md5 except you replace md5 with sh1.

Combine this with ROT13 and salt and you have secure encryption

I believe you mean sha1

www.php.net/sha1

 

[kiore]

Combine this with ROT13 and ...

Better still, for extra security, double encrypt with ROT13.
:hehe:

 

[J4m!3]

Wow im confused lol

 

[RickM]

*a little bumpy update*

SHA1:

<?php	
if($_POST['go'] == 'Go')
{
	echo sha1($_POST['text']);
} else {
echo "<form method='post' action='encrypt.php'>
<input type='text' name='text'> <input type='submit' name='go' value='Go'>
</form>";
}
?>

That gives the SHA1 output.
For extra security:

<?php	
if($_POST['go'] == 'Go')
{
	echo sha1(md5(str_rot13($_POST['text'])));
} else {
echo "<form method='post' action='encrypt.php'>
<input type='text' name='text'> <input type='submit' name='go' value='Go'>
</form>";
}
?>

The above will do SHA1, MD5 and then ROT13

 

[dchesterton]

although it is supposed to be uncovertable it can be converted back recently

This statement is 100% false. You cannot convert back MD5, it is true that collisions have been found but all that means is that two different strings produce the same hash. They are still nearly impossible to find.

Any encryption is prone to dictionary attacks if you don't include a salt. An MD5 encryption with a salt will be more than enough for many sites out there although if you are serious about security I would recommend hashing with SHA256 or even SHA512 and including a pre-set SALT that only you know and a random SALT which will be stored in the database with the password. That way even if a user gets the hashed password and the SALT they still cannot use a dictionary attack as they do not have the secret salt that only you know.

The only things I can think of that would require MD5() are for logins. For that you need a database, MySQL goes well with PHP.

An example I found on the net can be found here. I haven't tried it out yet, but I intend to later on just to see how it works. It requires MySQL.

Judging by reading the summary, it MD5's on the clientside and macthes it up on the serverside instead of sending a plain-text password as it were... I'm confused now!

You are correct that passwords are normally stored in a MySql database, but what if somebody (even a site admin) gains access to the database? The passwords are there in plain-text. If they are hashed (not encrypted, two totally different things) then it's impossible to find the users' password.

Unfortunately the password's will still be sent in plaintext from the client to the server, this is where SSL certificates are needed.

I have also heard, might not be completely true but if you hash an already hashed string it increases the chance of collisions. Don't ask me how though

Hope that all made sense :D

 

[RickM]

Actualy, MD5 can be decrypted...it has only recently been found out though.

I wont post code up here that will prove this as i wouldnt want to create security problems for anyone, however i can assure you - MD5 is very decryptable...i have been able to decrypt upto 10 chars so far, and im sure others have got furthur.

I would appreciate it if people stopped PMing me asking for the code...regardless of your reasoning, i would prefer not to release it.

You can find it the same way i did...www.google.com

 

[Scott]

MD5 can't be decrypted... MD5 produces a cryptographic hash. A hash cannot be decrypted or "converted back". MD5 is still very safe if used with a salt.

 

[NetworkTown.Net]

MD5 can't be decrypted... MD5 produces a cryptographic hash. A hash cannot be decrypted or "converted back". MD5 is still very safe if used with a salt.

well i just did a google search and found a site that can decrypt md5 i tried it and worked.

 

[Scott]

well i just did a google search and found a site that can decrypt md5 i tried it and worked.

OK. "Decrypt" this: 981d5552164c6b0865a9c161432c290e

 

[dchesterton]

Well please provide a link then. It is impossible to decrypt a hash, there is a difference between encryption and hashing. I'm guessing the site these people are referring to is http://www.md5decrypt.com/, try it with a string you have hashed and funnily enough it throws up an error, good isn't it! That site can only decrypt strings you have put into it, obviously it keeps a database of all strings entered and then tries to find a match.

When will you people learn that it's impossible to decrypt a proper md5 hash. It takes supercomputers weeks just to find a collision.

 

[PoorDoggie]

OK. "Decrypt" this: 981d5552164c6b0865a9c161432c290e

heh... a very badly scripted error!

 

[dhscott]

If in doubt, hash it twice! (md5(md5))

I know wordpress does...

 

[PoorDoggie]

If in doubt, hash it twice! (md5(md5))

I know wordpress does...

I do this:

$str = "hello"; // string

$md5 = md5($str); // md5 the string

$new = substr($md5, 16).substr($md5, 0, 16); // put first 16 chars after first 16...

$last = md5($new); // md5 the resulting string...

but then again, maybe I am going over the top...



Tom