Topic: MySQL - MD5 vs Password

[SharkBait]

Alright, I am looking for pro/cons of using MD5 or Password to do encryption for passwords stored in a MySQL Database.

Obviously MD5 is better.  Is it easy to work with?  How do you encypt and de-crypt a string for a password?

With password its like: INSERT INTO blah (usr_pass) VALUES(PASSWORD('{$blah}'))

is it the same for MD5?

If the site is internal (not accessable from the outside world) is it safe to use password over MD5?  If its public, how hard is it to break the Password encryption as opposed to MD5?

Thanks

[widgetapps]

The problem with PASSWORD(), is that it can change over time, as it did recently. It's meant to be used only for MySQL permissions. MySQL documentation clearly outlines this. See the note in the PASSWORD() docs here: http://dev.mysql.com/doc/refman/4.1/en/enc...-functions.html

That said, MD5() is usually the next choice. Some folks will double or triple MD5 a password as well. I generally double MD5, something like this (PHP code):

Code: [Select]

$md5_password = md5(md5('thePassword') . 'some seed string'));

Just put this into a function, and you can re-use it to encode passwords when creating and validating.

Alright, I am looking for pro/cons of using MD5 or Password to do encryption for passwords stored in a MySQL Database.

Obviously MD5 is better.  Is it easy to work with?  How do you encypt and de-crypt a string for a password?

With password its like: INSERT INTO blah (usr_pass) VALUES(PASSWORD('{$blah}'))

is it the same for MD5?

If the site is internal (not accessable from the outside world) is it safe to use password over MD5?  If its public, how hard is it to break the Password encryption as opposed to MD5?

Thanks

[snapback]314015[/snapback]

[Cook]

One extra thing to note tho is that MD5 digests cannot be decrypted, ie you cannot get the original data from an MD5 digest. MD5 is a hash algorithm that produces a signature from the original data that is such that it is very very highly improbable that two different pieces of original data produce the same MD5 digest. Therefore MD5 is a good choice to authenticate data (as opposed to truly encrypting it), ie ensure the other party is indeed who they claim to be.

The consequence of all this above is that if your users forget their passwords, you can't give it to them in any way. Instead you would have to generate a new one randomly and send that new password to your users.

All that said, using a seed string (also referred to as salt) as widgetapps suggest is a very good idea, as it makes it much more difficult for dictionary or brute force attacks to succeed in cracking your security.

[Zane]

as far as MD5 goes
it's much better to reverse your string
MD5 that
then reverse the MD5
and MD5 that

makes it impossible to hack

In reference to this post
http://www.phpfreaks.com/forums/index.php?...topic=76708&hl=

[Cook]

True. Along the same line, something like this:

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--]$digest = md5(md5($message) . md5($salt));[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

is pretty much unbreakable too.

[SharkBait]

So when they first sign up:


So I could do:

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--]

$salt = \"MyWierdStrangePassPhrase\";
$user_pass = md5(md5($_POST[\'password\']), md5($salt));

[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

Then store that into MySQL.

How do I go about validating the value in the database?

[Cook]

Make sure your replace the ',' with '.' (the string concatenation operation) in you md5() call.

To check the password supplied is correct, just apply the same function to the input provided by the user, then do a string comparison with the value stored in the db.

NB: The comparison needs not be case sensitive, as the md5 digest is made up of 32 hex digits; you can use strcasecmp().

[cammac]

hmm... I'm having a hard time understanding the reasoning behind MD5 encryption - if it's not possible to decrypt the pass again and send it to the user when they have forgotten it, then wouldn't it mean you would have to send the user a password-resetting link through e-mail, e.g:

http://www.domain.com/resetpass.php?id=k8f8fjklh38

And then the hacker would just have to brute-force that, reset the pass and could even lock the user out.

Also - maybe i'm wrong, but don't yahoo, msn, gmail, etc. all send the user their password instead of a reset link, so their passes are non-encrypted, or?

And also wouldn't it be just as good to set a 10 minute login block after 3 failed login attempts to block brute forcing?

[widgetapps]

To validate this, put your code in a function. Then, when the user types in their password, run that password through the same function. Then, compare the 2 MD5 versions of the password, they should be the same. MD5 will always encrypt the same string the same way.

So when they first sign up:
So I could do:

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--]

$salt = \\\"MyWierdStrangePassPhrase\\\";
$user_pass = md5(md5($_POST[\'password\']), md5($salt));[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

Then store that into MySQL.

How do I go about validating the value in the database?

[snapback]314043[/snapback]

[tjhilder]

I'm new to this, I was wondering, if this code:

Code: [Select]

$password = $_POST['password'];
$password = md5(md5($password));would encrypt the password, how would I un encrypted it? would it be a case of just using

Code: [Select]

$password = md5(md5($password)); again to reverse it or is there another way?

--
TJ

[neylitalo]

you wouldn't be able to unencrypt it - MD5 is a one-way hash. You cannot "unencrypt" an MD5 hash.

The standard method for MD5 authentication is to store the password as a MD5 hash (salted, unsalted, whatever) and then, when a user tries to authenticate, take the password they provide, run the same algorithm on it, and compare the hashes. If the hashes match, then the password is valid.

[tjhilder]

you wouldn't be able to unencrypt it - MD5 is a one-way hash. You cannot "unencrypt" an MD5 hash.

ah I see, thanks for the info.

I wanna make a membership system so that friends can register and be able to view pages on my site via ranks, so the higher rank they have the more they can view.

I think I worked out the register form properly, now I need to create the login page.

[Cook]

TJ, the answer to your question is right here in this thread if you care to read it all. Hint: post #3.

[tjhilder]

thanks, i read that, now i feel silly

ok so now that I know how to encrypt a password when it's submitted by a form, how'd i go about using it when someone goes to login?

anyone know where I can find out how to make a ranks system? so that when someone registers they get put on level 4 access, and then you can change it to something else, like level 2 access so they can view different parts of the site? this is something I am really needing for my website and I know cutenews has a system like that but I need one for my site.

any suggestions?

[V-Man]

as far as MD5 goes
it's much better to reverse your string
MD5 that
then reverse the MD5
and MD5 that

makes it impossible to hack

In reference to this post
http://www.phpfreaks.com/forums/index.php?...topic=76708&hl=

[snapback]314034[/snapback]

Quick question.

If you can unencrypt MD5, why would you bother to reverse, and THEN MD5 that?  Isnt that just wasting time?