Security - Simple md5 output [PHP]

[Ryder]

Recently users have been protecting their password by encrypting it in md5 format. Are you not up to date? Well with this script, you can be! (Although, this is not the safest form of protecting yourself... it is a simple script which will help you a lot. I hold no responsibility for any hack attempts against this script!)

<form method="POST" action=''>
<h1>md5 Encrypter</h1>
<b>Password to be Encrypted:</b><br>
<input type='text' name='secure' value=''>
<input type='submit' name='submit' value='Convert!'>
</form>

<?PHP
 $secure = htmlspecialchars(stripslashes($_POST['secure']));
if($_POST['submit'])
{
 if($secure == NULL)
 {
 echo ("<b>Error:</b> Type in the password to encrypt!");
 }
 if($secure != NULL)
 {
 $sec = md5($secure);
 echo ("<b>Text to encrypt:</b><br>$secure<br><br><b>Encrypted text:</b><br>$sec");
 }
}
?>

More tutorials coming soon at:
http://www.netsuhi.com

 

[Matthew.]

md5 should not be relied on. It is a myth that is can be decrypted because technically it is not an encryption however more and more larger and larger hash dictionaries are becoming easier to find.

You should SALT your passwords as well.

 

[Ryder]

Yes very true. I would advice anyone to research about encryption/decryption and security before using ANY password protection scripts. I assure you none of them is 100% safe and reliable on the net.

 

[jerometan]

MD5 tables are one of the most common.

The reason - used by almost every commercial php script.
If a hacker manages to get into the database, all he gets is MD5 hashes.

However, due to its popularity, very large tables (like rainbow tables) are available.

 

[Dan]

We all understand the crap about how it can be "decrypted" (I know that it isn't really decryption) and all the other stuff: http://www.namepros.com/code/238391-md5-encrypted-passwords.html

Also, the script in the first post doesn't actually do anything.. It just echo's the md5 of a string if it is "secure."

I hold no responsibility for any hack attempts against this script!

How can someone hack that.. There's nothing to hack.

 

[jerometan]

You can however, compare it to a hash table, and obtain a string.

However, it may NOT be the same. i.e. there WILL be collisions.

 

[Dan]

That's all stated in the thread I linked to.

 

[Camron]

Hmm, I just found this http://www.md5encryption.com/

Seems to work :o

 

[jerometan]

What it does is enter what you try to encrypt into the MD5 hash database.

When you enter the same hash into the decrypt field, it returns the original word again.

A pretty cheap trick. Try entering (1241b4d509c88dd2ed8c646ad812a1f6).

It'll be unable to decrypt.

 

[tanfwc]

If everyone on the net enter a value to the website, it will have billion of record to search for

 

[Matthew.]

Hmm, I just found this http://www.md5encryption.com/

Seems to work :o

It doesn't decrypt, it just uses a dictionary of hashes. The trick that fools most peoples with these websites is that you use them to encrypt a really long and complicated string that you think it wont be able to encrypt, but then go to decrypt it and find it can! Why? Because when you encrypt it, it adds the hash to the dictionary lol.

 

[jerometan]

If everyone on the net enter a value to the website, it will have billion of record to search for

Rainbow tables do it for your automatically...

 

[beaver6813]

Well done on using the md5 function ^^ I'm presuming this is one of your first ultra mini scripts. Use a SALT on it to improve security, so

md5($submittedpassword."RUBBER*()CHICKENS");

It will help to defeat rainbow tables and dictionarys full of hashes, users shouldn't use dictionary passwords anyways so perhaps getting the system to try and hack the password first with a small dictionary would get rid of the most easily to crack passwords.