News:

LVCS.NET offers low cost domain registration services.

Main Menu

Encrypt and . . . DECRYPT!??!

Started by sixthcrusifix, November 30, 2005, 12:43:05 AM

Previous topic - Next topic

sixthcrusifix

The following s redarging PHP only.

Okay, I know how to use MD5 to encrypt something. . . and I know how to use crypt() to encrypt something. . . BUT HOW THE HECK DO YOU DECRYPT IT?? I have a login/logout registration script I made that stores users in my database, but I wanted to ecrypt the passwords for security.. but I don't know how to decrypt them! Can anyone helP?

So far I have this:

Quote

$password = md5($userinput);

if(preg_match("/^\w+$/",$username)){
   echo "Username is fine, ";
$conn = @mysql_connect("localhost","sixthcrusifix","-----") or die("Connection Failed, Contact Admin");
 
  $db = @mysql_select_db("DATA", $conn) or die("POOP");

  $sql = "insert into userbase (username,password,EMAIL,interests) values (\"$username\",\"$password\",\"$email\",\"$interests\")";

But when I'm checking to see if they got the password right on logging in . . . could I just MD5 their input and see if it matches?

Edit by nq2h: Your mysql password has been filtered.
Visite me website at http://www.sixthcrusifix.com

Julian

Quote from: sixthcrusifix on November 30, 2005, 12:43:05 AM
BUT HOW THE HECK DO YOU DECRYPT IT??

MD5() is a one way hashing function. You cannot decrypt it.

webzone (archived)

#2
That is the whole point of MD5 by the way. Then, you are sure that nobody can decipher your password (almost sure).

If you want to check if a password that was provided (let's call him x) is valid by comparing it to the database, just encrypt x and compare it to the encrypted value in the database. A given password will always produce the same value when encrypted with MD5.

You may also consider to use SHA-1, as MD5 is getting easier to break everyday.

sixthcrusifix

Quote from: webzone on November 30, 2005, 01:10:37 AM
That is the whole point of MD5 by the way. Then, you are sure that nobody can decipher your password (almost sure).

If you want to check if a password that was provided (let's call him x) is valid by comparing it to the database, just encrypt x and compare it to the encrypted value in the database.

OK that works thanks.
Visite me website at http://www.sixthcrusifix.com

neosquared

Quote from: webzone on November 30, 2005, 01:10:37 AM
You may also consider to use SHA-1, as MD5 is getting easier to break everyday.

Another reason to use SHA1 is because it uses a longer hash, giving more posible results.
Infinite number of strings to feed into the hashing algoritm, finite number of hashes to come out.
So there is a (very small) chance that two passwords will have the same hash.  But it usually isn't something you need to worry about.  And if it does become something you have to worry about, you can put in some sort of protection for brute force attacks.  But I digress.
Don't take servers for granted.
Everything is flammable, if you get it hot enough.
Visit my website!  It'll make you cooler!

sixthcrusifix

Quote from: neosquared on November 30, 2005, 09:11:59 AM
Quote from: webzone on November 30, 2005, 01:10:37 AM
You may also consider to use SHA-1, as MD5 is getting easier to break everyday.

Another reason to use SHA1 is because it uses a longer hash, giving more posible results.
Infinite number of strings to feed into the hashing algoritm, finite number of hashes to come out.
So there is a (very small) chance that two passwords will have the same hash.  But it usually isn't something you need to worry about.  And if it does become something you have to worry about, you can put in some sort of protection for brute force attacks.  But I digress.

Well what about md5ing your md5'ed passworrds (for laziness sake)




<?php
$password 
md5($posted_password);
$new_password md5($password);

?>



It's be really hard to figure out the hash of a hash of a string wouldn't it?
Visite me website at http://www.sixthcrusifix.com

webzone (archived)

#6
Quote from: sixthcrusifix on November 30, 2005, 05:09:15 PM
Well what about md5ing your md5'ed passworrds (for laziness sake)


<?php
$password 
md5($posted_password);
$new_password md5($password);

?>



It's be really hard to figure out the hash of a hash of a string wouldn't it?

it doesn't help at all. example :

let's *pretend* that these two passwords give the same value after md5
pass1 = abcd md5 = 1234
pass2 = efgh md5 = 1234

as crypting the string "1234" using md5 will always provide the same result, you do not fix your collision problem by applying md5 recursively.

the best solution is to use a better cryptographic function. SHA1 is slightly better. the mhash extension of PHP (installed on freepgs) provides loads of hashing functions that are way harder to crack. you can take a look at them at http://php.net/mhash

sixthcrusifix

Quote from: webzone on November 30, 2005, 09:07:54 PM
Quote from: sixthcrusifix on November 30, 2005, 05:09:15 PM
Well what about md5ing your md5'ed passworrds (for laziness sake)


<?php
$password 
md5($posted_password);
$new_password md5($password);

?>



It's be really hard to figure out the hash of a hash of a string wouldn't it?

it doesn't help at all. example :

let's *pretend* that these two passwords give the same value after md5
pass1 = abcd md5 = 1234
pass2 = efgh md5 = 1234

as crypting the string "1234" using md5 will always provide the same result, you do not fix your collision problem by applying md5 recursively.

the best solution is to use a better cryptographic function. SHA1 is slightly better. the mhash extension of PHP (installed on freepgs) provides loads of hashing functions that are way harder to crack. you can take a look at them at http://php.net/mhash

OH I was just wondering if using md5 twice would make it harder to crack.
Visite me website at http://www.sixthcrusifix.com

GP™

Not really. What they do is plug in a brute fource attack, which basicly puts millions of passwords in your forum which is why you should "ALWAYS" put a humancheck on inportant forums such as login and registration forums, and protect against SQL Injection.

As far as I know, it is impossiable to crack a MD5 encrypyion, but, it is possiable to brute fource your script

GP™

I stand corrected, There is ways to crack a MD5 encrtyped code, the longer, or more sentive codes are how ever, hard to crack ;)

GP™

Quote from: gordon on December 19, 2005, 12:57:51 AM
I stand corrected, There is ways to crack a MD5 encrtyped code, the longer, or more sentive codes are how ever, hard to crack ;)

I would show you guys an example, but I don't think I could ever forgive my self for giving people a md5 cracker, It is not advanced, but it cracked my md5 hash, which scared me.

Safety Tips:
1. Never use commen words (Example: Pizza, Computer, Windows, Door)
2. Always, if possiable, make your password case sentive (Example: Instead of password make it PasSwOrD)
3. If you have the abity to add difrent chars, do so (Example: (", ', !, @, #, $, %, ^ ECT.)
4. NEVER EVER EVER share your password, even if its your best friend!
5. Scan your computer for spyware, some spyware logs passwords, and other information such as creditcard numbers
6. NEVER respond or click on an email that looks funny, always check the url before submiting information,
it could be email attack: (Example: I got an email for paypal saying I needed to update my creditcard number, I click the link, it looked like paypal, but the added was something like http://12.345.356.32/update.html)

Hope this helps, and sorry I can't show you a demo, but.. lets put it this way, I hashed the word pizza, case sentive, and it cracked it
n 5 secs ;)...

brainiac744

Wow, that is scary. I've been under the impression all this time (much as you apparantly) that MD5 was (at the time anyway) uncrackable.

EDIT: well, without brute-force that is...

GP™

The cracking method that people are using is basicly taking commen words, such as pizza, book, door, window, ect, and creating a directory. then making a script or program to compare the hash provide to those hashes, which is why the more unique passwords are your best best, for example
FrMwbTaC55
would be
freepgs rocks my world becaluse they are cool 55
;) Your not using and commen words, yet its easy to remember, and the added 55 makes it even more secure ;)

brainiac744

OK, so they haven't really "cracked" MD5 then, it's really a brute-force attack using a dictionary.

GP™

There is a cracked version, but... only real hackers use them ;)... I tested the, what I call, Pissant version, its the version of all the little pissants out there that don't know how to hack, but they are trying to get a password ;)