[SOLVED] I Really Need A MD5 Auto Decrypter, Please Help!!

[jamesxg1]

Hello People,

 

Ok Basically With The Script Im Making The Admin View All The Customers Details,

 

But I When I View There Password From Admin Its MD5 Encrypted.

 

And I Dont Know How To Decrypt It :S,

 

When The User Registers The PHP Register Script Does Automatically MD5 Encode It And Store It To The DB But How Do I Temp De-Code It For My Viewing ?,

 

 

Many Thanks

 

James.

[premiso]

You cannot decrypt it. MD5 is a 1 way hash. You have to regenerate a new password for them.

[haku]

Which is how it should be. If the admin can see the password, then its not very secure. You can set up a system where you can change their password to something new, but you then have to tell them what that new password is.

[jamesxg1]

Hiya,

 

Oh Ok I See.

 

Well Is There Some Sort Of Way I Can Make A Temp Password But They Will Still Be Able To Login With There One ?

[cooldude832]

You can't have the cow and the milk.

 

You need to capture the password before you md5 it so the user can see it unencrypted.

 

 

As for MD5 decrypting there have been some really nice rainbow tables made on it, but yes it is a 1-way hash.

 

 

[limitphp]

Hiya,

 

Oh Ok I See.

 

Well Is There Some Sort Of Way I Can Make A Temp Password But They Will Still Be Able To Login With There One ?

 

that would be impossible unless you changed your system around a good bit to check for two passwords.

 

[jamesxg1]

Oh I See. . .

 

Ok Well I Would Like To Go For The Idea Of Capturing The Password Before It Is MD5 En-Coded But How Would I Go About This So That The User Cannot See It And There Is No Vunrability ?

[cooldude832]

You are really getting into account registration design theroy, mine is

 

1) Fill out registration form with captcha and their pw of their choice

2) Verify inputs in the form

3) In verification page send an email asking for email verification

4) They click email link account is now active

5) They login with the pw they originally selected

 

To recover pw a random 10 digit string is generated then md5ed and the non md5ed of it is emailed to the activated account

[jamesxg1]

Yes Thats Exactly How My Registration System Is Except I Use 15 Character/Numberal Hash Code For There Lost Password.

 

 

And Is There Any Way Of Logging How Many Wrong Password They Enter ?.

[Maq]

And Is There Any Way Of Logging How Many Wrong Password They Enter ?.

 

Sure, if someone tries to login and fails, then store it in a column in the DB.

 

We would need some more information, and you're better off starting a new thread.

[haku]

Ok Well I Would Like To Go For The Idea Of Capturing The Password Before It Is MD5 En-Coded But How Would I Go About This So That The User Cannot See It And There Is No Vunrability ?

 

Nope. The moment you do anything with the non-MD5ed version of the password, you create potential vulnerabilites.

 

Note: Capitalizing every word puts you in the top 5 percentile of annoying when communicating in text.

[premiso]

Note: Capitalizing every word puts you in the top 5 percentile of annoying when communicating in text.

 

I think it is #1 actually. Caps are annoying but not as annoying as that...

[PFMaBiSmAd]

In a user system, an administrator account can directly perform any action that a user could and there is no need to know or have the user's password. Being logged in as an administrator should allow you access to an administrator's "control panel" page that you have written where you can select a user and view or modify any of that user's data.

[tqla]

I believe AES encryption is a reversible option provided you use a key and you are using at least mysql 4.0.2.

You can use AES_ENCRYPT() and then AES_DECRYPT

 

[ratcateme]

but then if some gets read access to your php source they can decrypt all the passwords even with mysql and a salt it will still take them years to decrypt a password even if they knew your salt

 

Scott.

[haku]

Exactly. For top security, passwords should be hashed with either md5 or sha1. I actually prefer sha1. It's a little slower than md5 (though in this day and age, that's measured in milliseconds), but its stronger.

[trq]

Yes Thats Exactly How My Registration System Is Except I Use 15 Character/Numberal Hash Code For There Lost Password.

 

 

And Is There Any Way Of Logging How Many Wrong Password They Enter ?.

 

Can you please stop posting each word beginning with a capital letter? Your making my eyes bleed.