Jump to content

How do i show MD5 encrypted passwords?


joshuaceo

Recommended Posts

I am trying to edit a shopping cart and I want to be able and view and edit user accounts in the admin area.

 

Right now I managed to show the password with this code:

 

<div class="listItemText" style="width:150px;"><?=htmlspecialchars($db->col["password"])?></div>

 

So what code would I need to put so that it would show the password and not the md5 encrypted password?

 

This is what currently shows: fe01ce2a7fbac8fafaed7c982a04e229

 

the password should be: demo

 

 

I hope someone can help =)

Link to comment
Share on other sites

Yes that site can do some of them.

 

How?

 

It creates a database of word lists and basically plays the match game.  It, in no way, decrypts a MD5 password hash.

 

What you can do, but it jeopardizes password security is create your own hash and then reverse engineer it to decrypt the password.  I do not suggest that, but it is another option.

Link to comment
Share on other sites

md5 is a hashing algorithm offering one-way cryptography, not an encryption algorithm (eg. a cipher). Without using cracking techniques, you cannot ascertain the original password since there is no key to facilitate this.

 

The password you gave in the example is unsalted[1] and thus liable to be cracked using a publically available reverse lookup service[2].

 

As a system administrator, you should be aware snooping on people's passwords is morally dubious. Especially where shopping carts are concerned.

 

If you need to recover an account with an unknown password, just create a new hash of a password you know and overwrite the old one.

 

If you absolutely must be able to decrypt it whilst nobody else can, switch to encipherment (a form of two-way cryptography)[3]. In PHP, this is reliably provided by the mcrypt library[4].

 

"This website does it.  would anyone know how to show the encrypted password?"

 

That website uses a cracking technique known as a reverse lookup. Whilst it has a database of 779,266 words a 1-10 character long alphanumeric password has approximately 5,188,586,409,742,400 (about 5 Quadrillion) combinations. To create such a lookup table would take a quad-core server something like 6500 years, according to a quad-core server running my reverse lookup table generating algorithm.

 

If you are handling shopping carts you should ensure a secure password implementation. Unsalted MD5 is not secure and its use suggests that there is likely to be other security flaws present in the application. This could be disasterous for you or your client.

 

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)

[2] http://www.milw0rm.org/cracker/insert.php

[3] http://en.wikipedia.org/wiki/Encryption

[4] http://uk.php.net/mcrypt

Link to comment
Share on other sites

  • 2 weeks later...

Actually i *belive* that MD5 is nolonger secure as the previosly mentioned website solved an MD5 hash of two MD5ed strings.

*EDIT*

I take it back must have been lucky.

 

Joshuaceo

You are missing the point of storing your password in MD5. The reason is that should someone know the hash they dont know the phrase to make the hash. Either store the password in plaintext in your database or save the password in their session when they login and use that.

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.