SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Can md5() be decoded?

    Ok so ive started on the long haul into securing my code i write. I have been advised to use md5() to encode my info. Can the incryption be decoded in order to display a password back to a user?
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    md5 produces a hash that cannot be decrypted.

    if your storing password as a hash, and a user wants to find thier lost password, you need to let them choose a new password, as the old password is not recoverable.

  3. #3
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    okey dokey. Thx clam
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  4. #4
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    one thing i should mention. while md5 cant be 'decrypted', you can however find other strings that will produce the same md5 hash.

    theres a few md5 hash databases on the web where you can enter a hash, and it will search through its gigantic database and retireve all known strings which will produce that same hash.

    finding another string that produces the same md5 hash can often be just as useful to a hacker.

  5. #5
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmmm, i see. Is there any way round that? Or any other function i can use which cant be missused? (saying that, if it can be coded, a hacker can always find a way to decode i guess )
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  6. #6
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, first of all they should never gain access to your hash, but we all know it could happen.
    but there is another step you can do.

    the term is called 'salt'

    basically, you concatenate a string to the password which was submitted.

    PHP Code:

    $salt 
    'whatever';

    $hash md5($salt $_POST['password']);



    // now check your db to see if the hash matches whats in the db 
    this makes sure that the string they submit will not be directly md5()'d and checked against the db value. it will be modified, so this prevents them from finding a string which will produce the same hash. once you add the salt, the string they submitted will now produce a completely different hash.

    you must use the same salt when you origionally store the hash in the database, and when you check if the submitted password matches the hash in the database.

    im not an expert on this type of stuff, and i encourage you to take what i say with a grain of salt(no pun intended lol)

    maybe someone can provide some links for you to read on this subject.

  7. #7
    Maniacally depressed robot poncho's Avatar
    Join Date
    Dec 2004
    Location
    Belfast, N.Ireland
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have a look on the php function overview of md5 for some ideas on creating a 'better' hash. There are other encryption methods such as the crypt function with the ability to use md5, sha1, blowfish etc. as the encryption type.

    Cheers;
    Poncho
    Perfecting the art of breaking stuff.
    Check 'em: CakePHP | TextMate

  8. #8
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    I think I read somewhere that someone had found a way of getting collisions (i.e. finding two different strings that both give the same hash) using SHA1, but that it takes a lot of CPU power to do that.

    I'd suggest using SHA1 anyway or even better, a combination of the two, e.g. split the password in two, and then hash one section with MD5 and the other with SHA1, concatenate them and then store that as your password hash

  9. #9
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    In other words create your own unique encoding algorithm, which involves md5, sha1, etc.

  10. #10
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    whoa, anyone would think im creating a website for HSBC

    Well guys thx soo much for the info, didnt dream of gettin that much help on the subject. Thx again
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  11. #11
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Heh, I've created a couple of apps for my old employer (a bank) and used lots of tricks like that. Security guys dig them (even if I'm not 100% sure that the MD5.SHA1 trick is actually safer than just a SHA1 on it's own).

  12. #12
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i take it SHA1 is the same kinda thing as md5?

    EDIT: just php.neted it and its returns a 40 character hash
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  13. #13
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok so ive just tested something, let me know what your think.

    PHP Code:
    $Pass "mypassword";

    $MdPass md5($Pass);
    $ShaPass sha1($MdPass);

    echo 
    $MdPass "\n"// Testing Puposes
    echo $ShaPass// Testing puposes 
    How safe would that be, md5() the password the user enters, then use sha1 on the hash created by md5?
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  14. #14
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    I would not make your application more secure. You can md5, sha etc a password as many times as you want but it will not make it more secure. If your trying to brute force it you will try all of these different methods each time anyway just incase.

    And for everyone screaming that md5 is not secure anymore, it is as secure as it ever was. As long as you put a real salt to the password it will take months to find a collision, i.e. the longer the string, the more different letters/symbols the longer it takes.

    You can bruteforce a 4 letter password in under 30sec, if the password including the hash is 200 characters long and a mix of different letters, numbers and symbols it will take months.

    And lets not mention, that if someone manages to get ahold of your hashes it does usally mean they already got a entry to the system...

  15. #15
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The thing is, if your server is comprimised the attacker will have access to your encrytion method so matter how ingenius it is, is irrelevant.

  16. #16
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    At My Desk!!
    Posts
    1,642
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmmm, well they are very valid points. Well ive learnt a lot
    "Am I the only one doing ASP.NET in Delphi(Pascal)?"

  17. #17
    SitePoint Addict
    Join Date
    Jun 2005
    Posts
    294
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    MD5 Can be decrypted just thought I would let everyone know that.

  18. #18
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Technically, MD5 cannot be decrypted, as it's not encryted data, but a hash of the data.

    You can, however, generate collisions - finding different strings which give the same MD5 hash.

    Bottom line though, is that it's not as safe as people once imagined. A friend of mine had two machines set up at home generating hashes and storing them in a database. He let them run for a month (I don't even want to know how much disk space he used for that) and then, for a laugh, we searched for the hash of my favourite password. Oops, we found a match...


  19. #19
    SitePoint Addict
    Join Date
    Jun 2005
    Posts
    294
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There was an engine on Google I found a while back that did the same thing.. It had a DB of thousands upoon thousands of hashes... It stored the unhashed and the hashed... You entered the plain text and it would give you the hash ( easy ) but then you enter the hash and it gave you the plain text. It was pretty scary.

  20. #20
    SitePoint Addict
    Join Date
    Jun 2005
    Posts
    294
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But as it was said before.. This is nothing more then a Brute force... as far as it taking months I am not too sure about that... SOmeone can let a very decent computer run for about 3 days and get a password dictionary that is very impressive.

    Bottom line.. USE SALT.. USE PASSWORD KEYS and everything you can to fool your intruder... I think it's a game...

    *** And correcting my first post ****
    MD5 can't be decrypted in the normal sense.. Unless you are a math genius and somehow figure out how the symbols relate to the letters and so forth. That would be the only way... But the thing is.. is that the user can't enter the HASH into the form to login.. It has to be the the plain text.. And if the intruder has your hash then he has already hacked your database and doesn't NEED to login through your PHP.. lol he can download it and take out the session requirements...

  21. #21
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    At which point your application or website is in big trouble anyway

  22. #22
    SitePoint Addict
    Join Date
    Jun 2005
    Posts
    294
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Immerse
    At which point your application or website is in big trouble anyway
    Hope your flexible... Because you WILL be kissing your *** good bye

  23. #23
    Life is strife TriGeminal's Avatar
    Join Date
    Apr 2005
    Location
    Trigeminal Ganglion
    Posts
    633
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I know some guys who can reverse it, just a matter of time for them!

    Better take care of your code, so as not to allow anyone to reach the hash!

    P.S. No body is going to reverse it except for fun or for important info only
    "The only thing necessary for the triumph of evil ..
    .. is for good men to do nothing"
    Edmund Burke.

  24. #24
    SitePoint Wizard dreamscape's Avatar
    Join Date
    Aug 2005
    Posts
    1,080
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TheRedDevil
    And for everyone screaming that md5 is not secure anymore, it is as secure as it ever was.
    yes and no. If you look at just the MD5 schema, then yes the security has not changed, but that is not the whole of security. Part of security is also how expensive it is for an attacker to break through. For example limiting the number of allowed login attempts is more secure against brute force than not limiting, because successfully carrying out a brute force attack is much more expensive and difficult to do.

    MD5 collisions have always been possible, but were long considered so improbable that the effort required to find one was far too expensive for computers to efficiently carry out in a reasonable time. But technology changes, and better technology means that the "less secure" hashing algorithms that not too long ago were considered pretty strong (like MD5 and SHA1), become less secure in the face of new technology. Today, you can probably find an MD5 collision with a single home PC in under 3 days. There have been a number of case studies and proofs to demonstrate that MD5 collisions are not longer in the realms of "improbable" and "expensive" as many once thought. There have also been some cases showing that SHA1 collisions are easy to find with today's technology.

    For password hashing, I would say no hashing algorithm less than SHA-256 in addition to other standard precautions like salting would be the minimum security you'd want for a new application you're building.

    Quote Originally Posted by Mav3n
    And if the intruder has your hash then he has already hacked your database
    Not necessarily. You would probably be surprised at the number of applications whose "auto login" feature stores your password hash in a cookie. It could also be intercepted if the SQL server is on a different machine and a hacker is listening between the two. It could also be intercepted by examining the SQL logs. There are a number of ways to get a certain price of info in a database without hacking into the database itself.

  25. #25
    SitePoint Addict
    Join Date
    Jun 2005
    Posts
    294
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    dreamscape... Thanks for bringing up the cookie option for me.. But isn't cookie/session information usually hashed anyways?

    If they are listening, they wont hear anything if you are behind an SSL.

    As far as the SQL logs, I don't see why anyone would post to a DB on a different server.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •