Md5 Encryption :d i love it

[gikid 0]

I love md5 encryption

<?/*A simple MD5 password encryption toolCreated By: gikid*///Creates a varible holding the password$password = "The_Password";//Encryptes the password into an "irreversible" MD5 form$encpass = md5($password);//Prints out the encrypted passwordprint($encpass);?>

you should try it out

[LuciferStar 0]

I love md5 encryption

 

<?/*A simple MD5 password encryption toolCreated By: gikid*///Creates a varible holding the password$password = "The_Password";//Encryptes the password into an "irreversible" MD5 form$encpass = md5($password);//Prints out the encrypted passwordprint($encpass);?>

you should try it out

43765[/snapback]

Me,too.

All the password in my applications are cyphered by MD5.

It's a one-way-hashing algrithem.

[Roly 0]

wtf way too long a script, all that is so easy you don't even need the comments

<?phpecho md5('The_Password');?>

See how I did that with ONE and ONLY ONE line?

[farsiscript 0]

Dear gikid i love md5 too but md5 is not very secure , i think now all hackers can recode md5 , and its not good ( for designers you can make custom md5 and save in databasefor example vb (forum) save custom md5 password bind real password and real day signup and then md5 this stringhave good day

[electron 0]

Well you should use a salt for additional security.Now a salt is a additional number that is specific only to the user like his ID or day of signup.This is because MD5 gives the same encrypted text for some words (though one in a million match).So for additional security from hackers and for the safety of the users use a salt like the users id.Just join the users id with the password given by him and then use md5 to encrypt it.That should do the trick.Also sha1() is a more popular and believed to be more safer encrypting technique for the passwords and secret answers to the questions.

[Amezis 0]

md5 is not possible to "decrypt", so it's very safe. The only way to find out what the MD5 hash is, would be to either brute force or to search in an md5 database. MD5 databases are databases storing thousands of MD5 hashes and the words they are linked to.

If you salt the passwords, there won't be any databases that stores a password with a salt (not any large databases as far as I know), so doing a md5 with this script should be very secure:

<?php$hash = md5($password . $user_registration_date . $password . $user_id . $username);?>

It might be a long code, but hey, it's safe!

[krap 0]

There's no way anybody could crack that
IMO even this would be enough:

<?php$hash = md5($password . $user_id);?>

Because those databases won't have every word combined with every number

[electron 0]

Thats right and that is why i suggested to use a salt as MD5 Dictionaries use normal English words only not user ids.

[Spectre 0]

Using a salt is certainly a good idea, but it not 100% secure. Even combining details as mentioned by Amezis isn't going to absolutely guarantee against the password being broken. In order for a password to work, you are obviously going to need to re-hash it from plaintext at some point in order to compare it against the already hashed password stored in the database - and if someone manages to obtain the exact code you are using to do this, re-creating the hash isn't going to be overly difficult. In Amezis' example, for instance, the attacker would simply need to obtain all the details that are being combined to create the hash - which they would presumably have if they were sniffing around your database to get the final hash in the first place - and then combine the applicable data with possible password combinations and run it through a dictionary cracker. It might be slightly more difficult, but it's certainly possible. IPB, for example, uses (or at least it used to use) a simple 4-character password salt which was hashed, and that hash was then concatenated with the plaintext password and hashed again, and the final value was stored in the database as the user's password. But all that had to be retrieved was the salt and the hash, and this process could very easily be repeated by anyone in order to eventually uncover the password.

Edited October 15, 2006 by Spectre (see edit history)

[electron 0]

What does IPB do now then ?Well this is standard I believ in the PHP world.SMF uses the users ID as a salt directly without hashing it first.Also if anyone did manage to get the Hashed and salted password it is notpossibe to Decrypt it.If you want to get a hold of the password then you can only do it while taking the form or if it leaks over the Network.Decrypting would require some 1000's of years.

[Spectre 0]

I have no idea what IPB does now, as I have not looked at any source code for it for quite a long time. Using a 'salt' is indeed a good idea, I'm not contesting that at all - I'm just saying that it still isn't completely safe.An old IPB version (I don't remember which were affected by it, but it's long been resolved - although similar problems seem to pop up all the time in various large-scale PHP applications) had a bug that allowed arbitrary SQL to be injected into the URL when quoting a post, if memory serves correct. So basically any data could be retrieved from the database, including the salt and the password, allowing the hashing process to be recreated by the attacker and the result then compared.My point basically is that if the method used to create the hash is known (eg. the data hashed and in what order), and the data used therein can be 'found', then the password can still be broken, salt or no salt. It may take time, but brute-forcing any one-way encrypted password does.

Edited October 17, 2006 by Spectre (see edit history)

[cwconline 0]

Yeah, I use Md5 a lot but I found a cool new thing and it's called encrypt

<?phpencrypt();?>

and it works Great and is more secure I believe!MD5 can be cracked...

[galexcd 0]

Why not instead of adding salt you just rehash the hash... md5(md5($password)); I'd think that would be the hardest for a hacker to break because the md5 has of the original password will defiantly not be in a database of common dictionary words, and if they use a program trying every single possibility and hashing it (a, b,.... aa, ab, ac.. etc) will have to check 32 letters and would have to incorporate numbers and letters, instead of just a 5-15 long password with usually only letters. Then after finding out the original md5 hash, which would take weeks, they could finaly decrypt the new md5 hash of the password. If you wanted to really annoy them without going with Amezis's extreamly long hash

<?php$hash = md5($password . $user_registration_date . $password . $user_id . $username);?>

you can add the user id within the inner function: md5(md5($password.$id));Now talk about impossible to crack... I still think the dual md5 encryption is enough, even of the hacker knows the syntax, it will take them forever to figure it out, yet alone get the hash in the first place. You guys are forgetting the hardest part about this whole thing, getting into your database and stealing the hash. I'm sure your websites don't go giving out the hashes for free. It would take a while for a hacker to find a place in your website that he can inject sql to get the hashes.
Edited July 2, 2007 by alex7h3pr0gr4m3r (see edit history)