Jump to content


Photo

converting md5 password to readable format [RESOLVED]


  • Please log in to reply
7 replies to this topic

#1 AdRock

AdRock
  • Members
  • PipPipPip
  • Advanced Member
  • 911 posts

Posted 09 August 2006 - 08:50 PM

When news user details are inserted into the database I have used md5 to encrypt the password.

I now have a form to recover a lost password which gets the record from the database and emails the user the username and password.

The problem is that the password is still encrypted.

I need to know how i can convert the md5 password to a format that the user can read and understand
If your topic has been solved, please mark the topic as SOLVED.

This helps others from identifying which topics need help still

#2 king arthur

king arthur
  • Members
  • PipPipPip
  • Advanced Member
  • 335 posts
  • LocationUK HQ

Posted 09 August 2006 - 08:54 PM

You can't. If someone has forgotten their password the only option is to enable them to choose a new one.
Sir Isaac Newton said "If I have seen farther, it is by standing on the shoulders of giants". But it is not recorded as to whether he said it before or after he was hit on the head by a falling apple.

#3 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 09:03 PM

When someone forget's his pass and asks for a reminder, generate a random string, for example:
<?php
$rand_string=md5($username.time());
?>
Store it in the db in the row of the user, in the column "reminder_rand".
Then send a link (to the email given) that looks like this:
echo("www.domain.com/reminder.php?str=".$rand_string);

reminder.php will check if there's a row that "reminder_rand" equals $rand_string, and if so create a random pass to the user, replace it with the old one (when it's md5 of course) and then send it to him via email (Make sure you send the pass not in md5). If there's no such row output "Error".

Orio.
Think you're smarty?

(Gone until 20 to November)

#4 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 09 August 2006 - 09:13 PM

Obviously you still can "reverse" the MD5 hash by using Rainbow (which is known for being a very effective method) or a MD5 hash database like these:

http://gdataonline.com/
http://md5.rednoize.com/
~ D Kuang

#5 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 09:22 PM

Cracking his user's passes? Sounds pretty unsafe to register to his site...

Orio.
Think you're smarty?

(Gone until 20 to November)

#6 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 09 August 2006 - 09:29 PM

Cracking his user's passes? Sounds pretty unsafe to register to his site...

Orio.

The same is true for any site. If the admin were unscrupulous though, why have MD5 at all?
Just store the plain pass.

I am just pointing that it IS possible to "convert" md5 hashes back to plaintext (when you are working with short strings as passwords, obviously).
~ D Kuang

#7 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 09 August 2006 - 09:36 PM

Personaly what I do is first when the user signs up I  email them with all of the information that they signed up with. I would also have them choose two security questions like the city that they were born in and something else like last four of their social.

Then I  instruct them to search their email for their registration information. If they are unable to find their password, then I have them input their email address, username and the two security questions. Then I create them a random password with this code and email it to them.

function makeRandomPassword() { 
  $salt = "abchefghjkmnpqrstuvwxyz0123456789"; 
  srand((double)microtime()*1000000);  
      $i = 0; 
      while ($i <= 7) { 
            $num = rand() % 33; 
            $tmp = substr($salt, $num, 1); 
            $pass = $pass . $tmp; 
            $i++; 
      } 
      return $pass; 
}

Then after they log in with the new password, I allow them to change it again to what ever they want. I also mail the new password to them and instruct them to save the email for future refference.

Hope this helps,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#8 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 09 August 2006 - 09:40 PM

I own a disabled site, and I store the password un encrypted in the database
This means its less confusing for the user (some are really disabled and everything needs to be as easy as possible)

also I am not asking them for private confidential information

What I also do is have one password for "normal sites" like this forum
One password for sites like Paypal
One password for my cpanel
Another password for emails and things

So if someone gets my password from a website, they can only access other websites, and not corse me damage

Tell me the problem, I will try tell you the solution




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users