Encrypting/decrypting passwords - How to get length after md5()


I am doing some work with passwords on my site using md5(). I was wondering, how can I get the length of the original decrypted password?

For instance, on a user’s “edit password” page, a 6 letter password will be displayed as () (6 stars). If I use md5, it shows up as (**************************) (32 stars) when I use a php function to count the number of characters in the password and put stars in it’s place.

I am mostly doing this to make it look more atheistically attractive, so if a real password is 6 characters long, it should display 6 stars. I’ve noticed big sites like eBay do it correctly but I’m sure they are also encrypting/decrypting the passwords instead of storing plain passwords in the database.

Let me know how this can be done, whether this is an md5 issue or some other method.


Once you have encrypted the password with MD5 you can not calculate the total length of the original string. If you really wish to do this you can count the string before you encrypt it, get the value and save it within the database.

$length = strlen($_POST['password']);
$encrypt = md5($_POST['password']);
mysql_query("UPDATE `users` SET `password`='{$encrypt}', `length`='{$length}' WHERE `id`='{$_POST['id']}' LIMIT 1");

That’s a very basic and crude version, but would solve your issue.

I don’t understand when exactly you want to show these stars?
When the user digits the password in the password input field, the stars (or dots, or whatever) appear. If the password has been ‘remembered’ by the browser, the stars will already be there.

At what point would you want your script to show stars in the password field? And why? It wouldn’t be the valid password anyway. It would be just stars.

As guido says. Dont show the stars. Two reasons; 1 as guido said it isnt valid input, and 2 it’s a security hazard.

Yep. You give away the length of the password.

I have a summary list of user details like email address, country, address and etc on an “edit profile” page. It does not show up in an input field, just plain text. The password would just show up as: ******.

There is no way for you to tell from an md5 hash how long the password is as there will be millions of different values with different lengths that will match to that md4 hash. If you pick a length over a million characters then it will probably be very likely that there is at least onve value with that length that will match to the md5 hash.

This is simple. Show the same number of “stars” regardless of how long the password might have been. There is no reason to try and be fancy.
Oh…and stop using MD5, use something a little more secure as well add salts.

I would just show a certain x number of stars no matter what the length is. Make it light grey or something and make it go away on focus (placeholder).

If you’re really interested in making this work like you wanted…

The user’s change password page will only be visible to the logged in user, so the solution is simple.

If you’re using sessions, just count the number of characters the successful password was and store it in the session… or just have a field in the database for length.

Name it something inconspicuous though, in case your database did get out…

Storing passwords in uncrackable form
Use bcrypt/[url=http://www.tarsnap.com/scrypt.html]scrypt for passwort hashing - they are designed just for this.

And regarding filling in with asterisks, just don 't do it. Leave password fields blank.

scrypt looks like an encryption routine rather than a hashing routine and so would be rather useless for passwords since anyone who gains access to the server would be able to decrypt all the passwords in order to find out what they are and so there is no real benefit to using that rather than storing them as plain text (which also just requires access to the server to find out what they are). The benefit to using a hash for the password rather than encryption os that even with access to the server there is still no way to extract the original password from the hashed version - although with the weaker hashing algorithms it is possible to find a value that will work as the password (but no way of knowing if that is actually the password or just another value that happens to hash to the same value).

Since the benefit to working out the passwords is to use them to break into other sites where their owners have accounts using the same password (since to get the password they need to have already broken into your site) even using a simple MD5 hash with a salt will ensure that the workable values obtained for this site will still be unlikely to work for other sites where the person is using the same password.

Avoid crypt_blowfish (bcrypt) at this time until we get a patch. Now I believe this only affects Linux servers. Windows doesn’t have crypt_blowfish so PHP uses its own version. However, if PHP is doing something different which bypasses the bug that was found in crypt_blowfish then maybe.

But it is not. Just like bcrypt in this context is not BlowFish encryption itself, rather its key expansion algorithm. I was referring to “scrypt key derivation function” rather than “scrypt encryption utility”.

@logic_earth, what bug are you referring to?

These are resources suggesting to use bcrypt:

One more alternative is to use PBKDF2 as defined in RFC2898. But to me use of bcryp/scrypt seems better option.

scrypt is thought to be even better for this purpouse, however since there is less investigation done from authoritative cryptology experts, there is a risk that some issues will be found later on.

The one just recently discovered. bcrypt uses crypt_blowfish.
A hole in crypt_blowfish [LWN.net]

Note, using bcrypt/scrypt won’t actually improve security, nor it is required to reduce performance to reduce the risk of brute-force. There are much better ways.

You should be more worried about social engineering then brute-force hacking.

Thank you for the link.

Note, using bcrypt/scrypt won’t actually improve security, nor it is required to reduce performance to reduce the risk of brute-force. There are much better ways.

And those ways would be… ?