How do i show MD5 encrypted passwords?

[joshuaceo]

I am trying to edit a shopping cart and I want to be able and view and edit user accounts in the admin area.

 

Right now I managed to show the password with this code:

 

<div class="listItemText" style="width:150px;"><?=htmlspecialchars($db->col["password"])?></div>

 

So what code would I need to put so that it would show the password and not the md5 encrypted password?

 

This is what currently shows: fe01ce2a7fbac8fafaed7c982a04e229

 

the password should be: demo

 

 

I hope someone can help =)

[PFMaBiSmAd]

md5() is not encryption it is a one way hash. You cannot undo it and get back the original password.

[joshuaceo]

This website does it.  would anyone know how to show the encrypted password?

 

 

http://www.md5encrypter.com/

[bubbasheeko]

Yes that site can do some of them.

 

How?

 

It creates a database of word lists and basically plays the match game.  It, in no way, decrypts a MD5 password hash.

 

What you can do, but it jeopardizes password security is create your own hash and then reverse engineer it to decrypt the password.  I do not suggest that, but it is another option.

[Mark Baker]

What you can do, but it jeopardizes password security is create your own hash and then reverse engineer it to decrypt the password.  I do not suggest that, but it is another option.

Or actually encrypt the password rather than hash it.

[Rushyo]

md5 is a hashing algorithm offering one-way cryptography, not an encryption algorithm (eg. a cipher). Without using cracking techniques, you cannot ascertain the original password since there is no key to facilitate this.

 

The password you gave in the example is unsalted[1] and thus liable to be cracked using a publically available reverse lookup service[2].

 

As a system administrator, you should be aware snooping on people's passwords is morally dubious. Especially where shopping carts are concerned.

 

If you need to recover an account with an unknown password, just create a new hash of a password you know and overwrite the old one.

 

If you absolutely must be able to decrypt it whilst nobody else can, switch to encipherment (a form of two-way cryptography)[3]. In PHP, this is reliably provided by the mcrypt library[4].

 

"This website does it.  would anyone know how to show the encrypted password?"

 

That website uses a cracking technique known as a reverse lookup. Whilst it has a database of 779,266 words a 1-10 character long alphanumeric password has approximately 5,188,586,409,742,400 (about 5 Quadrillion) combinations. To create such a lookup table would take a quad-core server something like 6500 years, according to a quad-core server running my reverse lookup table generating algorithm.

 

If you are handling shopping carts you should ensure a secure password implementation. Unsalted MD5 is not secure and its use suggests that there is likely to be other security flaws present in the application. This could be disasterous for you or your client.

 

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)

[2] http://www.milw0rm.org/cracker/insert.php

[3] http://en.wikipedia.org/wiki/Encryption

[4] http://uk.php.net/mcrypt

[bubbasheeko]

Thanks Rushno that was a great response!

[kmaid]

Actually i *belive* that MD5 is nolonger secure as the previosly mentioned website solved an MD5 hash of two MD5ed strings.

*EDIT*

I take it back must have been lucky.

 

Joshuaceo

You are missing the point of storing your password in MD5. The reason is that should someone know the hash they dont know the phrase to make the hash. Either store the password in plaintext in your database or save the password in their session when they login and use that.