MySQL - MD5 vs Password

[SharkBait]

Alright, I am looking for pro/cons of using MD5 or Password to do encryption for passwords stored in a MySQL Database.

 

Obviously MD5 is better. Is it easy to work with? How do you encypt and de-crypt a string for a password?

 

With password its like: INSERT INTO blah (usr_pass) VALUES(PASSWORD('{$blah}'))

 

is it the same for MD5?

 

If the site is internal (not accessable from the outside world) is it safe to use password over MD5? If its public, how hard is it to break the Password encryption as opposed to MD5?

 

Thanks

[widgetapps]

The problem with PASSWORD(), is that it can change over time, as it did recently. It's meant to be used only for MySQL permissions. MySQL documentation clearly outlines this. See the note in the PASSWORD() docs here: http://dev.mysql.com/doc/refman/4.1/en/enc...-functions.html

 

That said, MD5() is usually the next choice. Some folks will double or triple MD5 a password as well. I generally double MD5, something like this (PHP code):

 

$md5_password = md5(md5('thePassword') . 'some seed string'));

 

Just put this into a function, and you can re-use it to encode passwords when creating and validating.

 

Alright, I am looking for pro/cons of using MD5 or Password to do encryption for passwords stored in a MySQL Database.

 

Obviously MD5 is better.  Is it easy to work with?  How do you encypt and de-crypt a string for a password?

 

With password its like: INSERT INTO blah (usr_pass) VALUES(PASSWORD('{$blah}'))

 

is it the same for MD5?

 

If the site is internal (not accessable from the outside world) is it safe to use password over MD5?  If its public, how hard is it to break the Password encryption as opposed to MD5?

 

Thanks

314015[/snapback]

[Cook]

One extra thing to note tho is that MD5 digests cannot be decrypted, ie you cannot get the original data from an MD5 digest. MD5 is a hash algorithm that produces a signature from the original data that is such that it is very very highly improbable that two different pieces of original data produce the same MD5 digest. Therefore MD5 is a good choice to authenticate data (as opposed to truly encrypting it), ie ensure the other party is indeed who they claim to be.

 

The consequence of all this above is that if your users forget their passwords, you can't give it to them in any way. Instead you would have to generate a new one randomly and send that new password to your users.

 

All that said, using a seed string (also referred to as salt) as widgetapps suggest is a very good idea, as it makes it much more difficult for dictionary or brute force attacks to succeed in cracking your security.

[Zane]

as far as MD5 goes

it's much better to reverse your string

MD5 that

then reverse the MD5

and MD5 that

 

makes it impossible to hack

 

In reference to this post

http://www.phpfreaks.com/forums/index.php?...topic=76708&hl=

[Cook]

True. Along the same line, something like this:

 

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--]$digest = md5(md5($message) . md5($salt));[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

 

is pretty much unbreakable too.

[SharkBait]

So when they first sign up:

 

 

So I could do:

 

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--]

 

$salt = \"MyWierdStrangePassPhrase\";

$user_pass = md5(md5($_POST[\'password\']), md5($salt));

 

[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

 

Then store that into MySQL.

 

How do I go about validating the value in the database?

[Cook]

Make sure your replace the ',' with '.' (the string concatenation operation) in you md5() call.

 

To check the password supplied is correct, just apply the same function to the input provided by the user, then do a string comparison with the value stored in the db.

 

NB: The comparison needs not be case sensitive, as the md5 digest is made up of 32 hex digits; you can use strcasecmp().

 

[cammac]

hmm... I'm having a hard time understanding the reasoning behind MD5 encryption - if it's not possible to decrypt the pass again and send it to the user when they have forgotten it, then wouldn't it mean you would have to send the user a password-resetting link through e-mail, e.g:

 

http://www.domain.com/resetpass.php?id=k8f8fjklh38

 

And then the hacker would just have to brute-force that, reset the pass and could even lock the user out.

 

Also - maybe i'm wrong, but don't yahoo, msn, gmail, etc. all send the user their password instead of a reset link, so their passes are non-encrypted, or?

 

And also wouldn't it be just as good to set a 10 minute login block after 3 failed login attempts to block brute forcing?

 

 

[widgetapps]

To validate this, put your code in a function. Then, when the user types in their password, run that password through the same function. Then, compare the 2 MD5 versions of the password, they should be the same. MD5 will always encrypt the same string the same way.

 

So when they first sign up:

So I could do:

 

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--]

 

$salt = \\\"MyWierdStrangePassPhrase\\\";

$user_pass = md5(md5($_POST[\'password\']), md5($salt));[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

 

Then store that into MySQL.

 

How do I go about validating the value in the database?

314043[/snapback]

 

[tjhilder]

I'm new to this, I was wondering, if this code:

$password = $_POST['password'];
$password = md5(md5($password));

would encrypt the password, how would I un encrypted it? would it be a case of just using

$password = md5(md5($password));

again to reverse it or is there another way?

 

--

TJ

[neylitalo]

you wouldn't be able to unencrypt it - MD5 is a one-way hash. You cannot "unencrypt" an MD5 hash.

 

The standard method for MD5 authentication is to store the password as a MD5 hash (salted, unsalted, whatever) and then, when a user tries to authenticate, take the password they provide, run the same algorithm on it, and compare the hashes. If the hashes match, then the password is valid.

[tjhilder]

you wouldn't be able to unencrypt it - MD5 is a one-way hash. You cannot "unencrypt" an MD5 hash.

 

ah I see, thanks for the info.

 

I wanna make a membership system so that friends can register and be able to view pages on my site via ranks, so the higher rank they have the more they can view.

 

I think I worked out the register form properly, now I need to create the login page.

 

[Cook]

TJ, the answer to your question is right here in this thread if you care to read it all. Hint: post #3.

[tjhilder]

thanks, i read that, now i feel silly

 

ok so now that I know how to encrypt a password when it's submitted by a form, how'd i go about using it when someone goes to login?

 

anyone know where I can find out how to make a ranks system? so that when someone registers they get put on level 4 access, and then you can change it to something else, like level 2 access so they can view different parts of the site? this is something I am really needing for my website and I know cutenews has a system like that but I need one for my site.

 

any suggestions?

[V-Man]

as far as MD5 goes

it's much better to reverse your string

MD5 that

then reverse the MD5

and MD5 that

 

makes it impossible to hack

 

In reference to this post

http://www.phpfreaks.com/forums/index.php?...topic=76708&hl=

314034[/snapback]

 

Quick question.

 

If you can unencrypt MD5, why would you bother to reverse, and THEN MD5 that? Isnt that just wasting time?

 

[neylitalo]

If you can unencrypt MD5, why would you bother to reverse, and THEN MD5 that? Isnt that just wasting time?

but you can't. And anything that's going to throw a hacker off is good - just do something other than straight MD5ing it. As long as you throw something else in the mix, they'll never be able to guess it to brute force it.

[tjhilder]

wouldn't that be something like...

 

$password = strrev(md5(strrev(md5($password))));

 

correct me if i'm wrong, i'm a newbie.

[neylitalo]

Sure, that would work, so long as you do the same when you are going to compare the string provided by the user.

 

Let me clear something up really quick: no one method of salting works better than another. When somebody runs a brute-force attack, they usually just md5() the string they're trying JUST ONCE. They don't md5() it and md5() it again, they don't md5() it and reverse it, they don't do anything special. There are just too many combinations of possibilities to even come close to hitting the correct one. The point of salting is so they DO have to guess. And if they guess, they probably aren't going to be right.

 

So, any of the following would work beautifully, as long as you keep it consistent. And feel free to make your own "algorithm".

 

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--][span style=\"color:#0000BB\"]<?

 

md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));

[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]strrev[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));

[/span][span style=\"color:#0000BB\"]strrev[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));

[/span][span style=\"color:#0000BB\"]str_rot13[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));

[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]).[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#DD0000\"]\"salt\"[/span][span style=\"color:#007700\"]));

 

[/span][span style=\"color:#FF8000\"]//Just DON\'T do this:

[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]);

[/span][span style=\"color:#FF8000\"]//because that\'s what the hackers are expecting.

 

[/span][span style=\"color:#0000BB\"]?>[/span]

[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

[tjhilder]

md5(md5($string).md5("salt"));

whats the last bit, the .md5("salt") bit do? does it add the word salt to the password? or the word salt encrypted then added to the password? or am i getting the totally wrong idea.

 

btw, what would you use to try and match the password that is stored in the db, and the password that is entered with the form?

 

correct me if i'm wrong but would it be something like

 

if ($password1 == $password2) {

echo "perfect match!";

}

 

(i might have forgotten to add some stuff to that but maybe you get my idea.)

[neylitalo]

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]whats the last bit, the .md5("salt") bit do? It just makes it harder to brute force. Anything that makes it different than md5($password) will help.