[SOLVED] Password's to MD5

[mikelmao]

Hey,

I wana make a register and login system with MD5 Encrypting.

How can i encrypt a password input ($_POST['pass']) and also make the login system change the MD5 back to normal.. Plz help me here. Thx

[DeanWhitehouse]

md5 is one way hashing. to hash do

md5($_POST['pass']);

 

and on the login do the same , you will need to hash it and then compare.

[mikelmao]

what ? im confused, Could you show a small example?

[DeanWhitehouse]

i have

[mikelmao]

yeah but like explain it more

[DeanWhitehouse]

what do you want to know?

[ohdang888]

The safest way to do it is while users are registering, put the md5 hash of the password in the database....

and on login, do this:

 

 

$input = md5($_POST['pass']);

$res = mysql_query("SELECT * FROM users WHERE email='$email' and passowrd='$input' ")or die(mysql_error());

 

[mikelmao]

why is it safer?

[Stephen]

If someone steals your database, all they see is some random jibberish.

You should also salt your passwords. Here's an example (you will need a salt function to make $salt = say a ten character salt. they're all random characters.)

 

Register:

mysql_query("INSERT INTO users (name, password, salt) VALUES ('".$_POST["name"]."', '".md5(md5($_POST["password") . $salt)."', '".$salt."')");

 

Login:

//this is just checking password
if ($rows["password"] == md5(md5($_POST["password"]) . $rows["salt"]))
{
  //correct password
}

 

 

You could also try whirlpool encryption.

Note: that is not a safe query.

Also, these wouldn't work just like that. But those are just examples on inputting it and checking it.

[DeanWhitehouse]

But md5's can be cracked, so if they do get hold they can crack it

[akitchin]

But md5's can be cracked, so if they do get hold they can crack it

 

not with ease.  you may have heard that MD5 is not totally secure, but the main reason behind that is because of destination duplicates.  "cracking" one in the classic sense remains quite a difficult task.

[Stephen]

But md5's can be cracked, so if they do get hold they can crack it

 

It's better to make them work then to just give them the plain-text password.

[DeanWhitehouse]

@akitchin , i have found a site that can crack it in a few hours using brute force.

 

If you want improved security you could write your own encryption.

 

 

[Zane]

i have found a site that can crack it in a few hours using brute force.

Then if you can tell me what this password is then I'll give you $500

64e55a26ea337d6ed168a96e5252272f

 

 

 

 

and a brand new car

[Mchl]

Well. There's always hash() that offers several other hashing algorithms. See list here

 

zanus: It's not the matter of finding the exact password, but rather a string that when hashed will produce same output. That's why salting is so important.

[Zane]

sshhh..

[ohdang888]

couldn't you really slow the person down by doing md5's of md5's... for example...

 

 

$pass = md5(md5(md5(md5(md5($pass)))));

 

seems as though it would be good for regular sites...ya, i could be cracked, but it would take a lonnnngggg time for little benefit as long as the site doesn't deal with money or sensitive info