Jump to content

Archived

This topic is now archived and is closed to further replies.

joshuaceo

How do i show MD5 encrypted passwords?

Recommended Posts

I am trying to edit a shopping cart and I want to be able and view and edit user accounts in the admin area.

 

Right now I managed to show the password with this code:

 

<div class="listItemText" style="width:150px;"><?=htmlspecialchars($db->col["password"])?></div>

 

So what code would I need to put so that it would show the password and not the md5 encrypted password?

 

This is what currently shows: fe01ce2a7fbac8fafaed7c982a04e229

 

the password should be: demo

 

 

I hope someone can help =)

Share this post


Link to post
Share on other sites

md5() is not encryption it is a one way hash. You cannot undo it and get back the original password.

Share this post


Link to post
Share on other sites

Yes that site can do some of them.

 

How?

 

It creates a database of word lists and basically plays the match game.  It, in no way, decrypts a MD5 password hash.

 

What you can do, but it jeopardizes password security is create your own hash and then reverse engineer it to decrypt the password.  I do not suggest that, but it is another option.

Share this post


Link to post
Share on other sites

What you can do, but it jeopardizes password security is create your own hash and then reverse engineer it to decrypt the password.  I do not suggest that, but it is another option.

Or actually encrypt the password rather than hash it.

Share this post


Link to post
Share on other sites

md5 is a hashing algorithm offering one-way cryptography, not an encryption algorithm (eg. a cipher). Without using cracking techniques, you cannot ascertain the original password since there is no key to facilitate this.

 

The password you gave in the example is unsalted[1] and thus liable to be cracked using a publically available reverse lookup service[2].

 

As a system administrator, you should be aware snooping on people's passwords is morally dubious. Especially where shopping carts are concerned.

 

If you need to recover an account with an unknown password, just create a new hash of a password you know and overwrite the old one.

 

If you absolutely must be able to decrypt it whilst nobody else can, switch to encipherment (a form of two-way cryptography)[3]. In PHP, this is reliably provided by the mcrypt library[4].

 

"This website does it.  would anyone know how to show the encrypted password?"

 

That website uses a cracking technique known as a reverse lookup. Whilst it has a database of 779,266 words a 1-10 character long alphanumeric password has approximately 5,188,586,409,742,400 (about 5 Quadrillion) combinations. To create such a lookup table would take a quad-core server something like 6500 years, according to a quad-core server running my reverse lookup table generating algorithm.

 

If you are handling shopping carts you should ensure a secure password implementation. Unsalted MD5 is not secure and its use suggests that there is likely to be other security flaws present in the application. This could be disasterous for you or your client.

 

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)

[2] http://www.milw0rm.org/cracker/insert.php

[3] http://en.wikipedia.org/wiki/Encryption

[4] http://uk.php.net/mcrypt

Share this post


Link to post
Share on other sites

Actually i *belive* that MD5 is nolonger secure as the previosly mentioned website solved an MD5 hash of two MD5ed strings.

*EDIT*

I take it back must have been lucky.

 

Joshuaceo

You are missing the point of storing your password in MD5. The reason is that should someone know the hash they dont know the phrase to make the hash. Either store the password in plaintext in your database or save the password in their session when they login and use that.

 

 

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.