Two same hash function with same values return different outputs


#1

hi
please look at this cods :

 $file = fopen("passwords.txt", "r") or die("Unable to open file!");
$test = fgets($file);
echo $encrypt =  md5(sha1($test)); // output is 68823bc3767b5215ea848d3ce9838bed | false
echo "</br>";
echo $encrypt =  md5(sha1("12345678"));// output is 8843028fefce50a6de50acdf064ded27 | true

the Contents of passwords.txt is >> 12345678
i try to encrypt it by md5(sha1) , but there is a problem , output of md5(sha1($test)) is : 68823bc3767b5215ea848d3ce9838bed
but true ouput should be 8843028fefce50a6de50acdf064ded27
I have the same values but the output is different. how can i fix it ?


#2

Simple: Stop using outdated, insecure hashing methods like these and start using password_hash() and password_verify() to do your password hashing and checking.
Note the new method will give different results for the same string, but that’s a good thing, it’s harder to crack.


#3
echo $encrypt =  md5(sha1(trim($test)));

Will do the trick. fgets includes any new lines white space that might be present. trim makes them go away.

But as previously mentioned, do make sure you understand the consequences of encrypting passwords in this fashion. Unless you are dealing with legacy apps that cannot be updated then don’t do this.


#4

infact i need to hash a password list to md5(sha1($pass))


#5

i checked that issue , there is no space in any line and
echo $encrypt = md5(sha1(trim($test)));

return same result .
yes i understand hash and encryption differents .
in fact i want to hash a passlist to hashlist by md5(sha1()) method .


  $file = fopen( "passwords.txt", "r" ) or exit ( "Unable to open file!" ) ;
  $myfile = fopen("newfile.txt", "w") or die("Unable to open file!");
  while ( !feof ( $file ) )
    {
		$text = fgets($file);
		$readit = md5(sha1($text));
	   fwrite($myfile, $readit);
	 
   if(feof ( $file )){
	   echo "done";
	   echo $text;
	   break;
   }
    }
  fclose( $file ) ;
  fclose($myfile);  $file = fopen( "passwords.txt", "r" ) or exit ( "Unable to open file!" ) ;
  $myfile = fopen("newfile.txt", "w") or die("Unable to open file!");
  while ( !feof ( $file ) )
    {
		$text = fgets($file);
		$readit = md5(sha1($text));
	   fwrite($myfile, $readit);
	 
   if(feof ( $file )){
	   echo "done";
	   echo $text;
	   break;
   }
    }
  fclose( $file ) ;
  fclose($myfile);

#6

!! IMORTANT !! Hashing != Encryption


#7

Better check again. I tested my code before posting and got the expected results. You probably simplified things for your post and masked some other problem. This absolutely works:

<?php
$file = fopen("passwords.txt", "r") or die("Unable to open file!");
$test = fgets($file);
echo $encrypt =  md5(sha1(trim($test)));
echo "\n";
echo $encrypt =  md5(sha1("12345678"));
echo "\n";

#8

can you send me your output ?
no it just that, there is no more code in the php file .
i checked passwords.txt it Inside the file, only the 1234568 is without any space and anything more. i undrestand it can change the result .
Maybe it’s about the php version? my php ver is 7.2.5 .


#9
1234568 vs 12345678

Can you spot the difference?


#11

no i want this code output :

$file = fopen("passwords.txt", "r") or die("Unable to open file!");
$test = fgets($file);
echo $encrypt =  md5(sha1(trim($test)));
echo "\n";
echo $encrypt =  md5(sha1("12345678"));
echo "\n";

its 68823bc3767b5215ea848d3ce9838bed vs 8843028fefce50a6de50acdf064ded27 for me .


#12

One of us us very confused. echo out the contents of passwords.txt or echo out $test. It is not going to show 12345678 unless you have something else going on.

I get 8843028fefce50a6de50acdf064ded2 for both.


#13

I’m sorry to make you confused , my english is not very well :slight_smile:
I wanted the

echo $encrypt =  md5(sha1(trim($test)));

and

echo $encrypt =  md5(sha1("12345678"));

result . is not same to me . :frowning:


#14

And what I am trying to tell you is that trim($test) does not equal 12345678.

It really is that simple.


#15

Unless this is for a fun learning exercise of questionable value, I strongly recommend you stop and rethink this approach.

If “password.txt” means what it suggests, be aware that storing passwords in plain text is a major weakness. It should never be done.

The use of both md5 and sha1 implies that you are aware of their weakness and that you are trying to build strength by “doubling up”.

Unless you have advanced knowledge of hashing, trying to put together your own password hashing script is not a good idea at all. Especially now that there are native PHP functions that are proven to be more secure and involve writing less code to use them.


#16

I think you did not understand what i mean.
In fact, i have a passwordlist , what I want to do is convert a passwordlist into a hashlist by md5(hash($pass)). how can i do it ?
can you send my a simple ?
i write this code :

  $file = fopen( "passwords.txt", "r" ) or exit ( "Unable to open file!" ) ;
  $myfile = fopen("hash.txt", "w") or die("Unable to open file!");
  while ( !feof ( $file ) )
    {
		$text = fgets($file);
		$readit = md5(sha1($text));
	   fwrite($myfile, $readit);
	 
   if(feof ( $file )){
	   echo "done";
	   echo $text;
	   break;
   }
    }
  fclose( $file ) ;
  fclose($myfile);

but this code write incorrect hash of passwordlist.txt to hash.txt . i just try to undrestand how can i fix it .


#17

OP, do you have any desire whatsoever to do this correctly? Your approach could not be any more wrong. As pointed out in so many words, this is a complete waste of time both on your part and the ones helping you do it wrong.

I for one will not help you, nor anyone else learn how to do something wrong, and in this case, it is VERY wrong.


#18

Though this may look like an interesting exercise, I don’t think hashing passwords is the actual problem. The main problem is an ethical problem. Storing user passwords in a text file is not ethical at all and anyone pushing for this kind of thing is the reason why there’s so much security problems. Storing passwords in a database is one thing, but storing them in text files to “display” is an ethical problem. If you were to do this in a professional setting, you’d be fired right away or have a really “cute” lecture from your boss. It is no joke to be pushing this kind of thing especially since some people should know better. :shifty:


#19

var_dump("12345678" === trim($test));

but as said, this approach is just a waste of time…


#20

Conversely, if the OP has been specifically instructed to hash some strings using the method that they are asking about, it won’t go down well for them to go back to their boss and start telling them about how they have the wrong approach, and refuse to do the work they’ve been assigned unless the boss agrees to do it a different way. Especially if the OP is in a relatively junior position.

I understand everyone who is trying to inform the OP on better ways to store passwords, but remember we don’t know the full situation here.

I get the same - I created a file (which I didn’t call “passwords”…) and put in 12345678 followed by a newline, and it gives the same result for both, and the same if I remove the newlines as far as notepad will allow me to.

Could the OP have character-encoding differences in the file?


#21

we can debate the approach of the system til the cows come home - OP could be attempting to hash things towards removing the concept of a password file entirely from the system. It has been pointed out that SHA1 and MD5 are both considered outdated methods for password hashing, and that there has been a designed function to do so implanted in later versions of PHP.

As to why the user is getting different answers from theoretically the same string, the first step is to unwind your attempt, and go step by step.

echo the value. Wrap it in quote marks, for visibility.
echo the trim of the value. Wrap it in quote marks, for visibility.
echo the sha1 of the value.
echo the md5 of the sha1 of the value.

View the source of the resultant page to examine for lingering carriage returns or other oddities.

mb_detect_encoding the value to determine the string type. If necessary, convert it to ensure your hashes match expected values.