Topic: MySQL - MD5 vs Password

[neylitalo]

If you can unencrypt MD5, why would you bother to reverse, and THEN MD5 that? Isnt that just wasting time?

but you can't. And anything that's going to throw a hacker off is good - just do something other than straight MD5ing it. As long as you throw something else in the mix, they'll never be able to guess it to brute force it.

[tjhilder]

wouldn't that be something like...

$password = strrev(md5(strrev(md5($password))));

correct me if i'm wrong, i'm a newbie.

[neylitalo]

Sure, that would work, so long as you do the same when you are going to compare the string provided by the user.

Let me clear something up really quick: no one method of salting works better than another. When somebody runs a brute-force attack, they usually just md5() the string they're trying JUST ONCE. They don't md5() it and md5() it again, they don't md5() it and reverse it, they don't do anything special. There are just too many combinations of possibilities to even come close to hitting the correct one. The point of salting is so they DO have to guess. And if they guess, they probably aren't going to be right.

So, any of the following would work beautifully, as long as you keep it consistent. And feel free to make your own "algorithm".

[!--PHP-Head--][div class=\'phptop\']PHP[/div][div class=\'phpmain\'][!--PHP-EHead--][span style=\"color:#0000BB\"]<?

md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));
[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]strrev[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));
[/span][span style=\"color:#0000BB\"]strrev[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));
[/span][span style=\"color:#0000BB\"]str_rot13[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]));
[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]).[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#DD0000\"]\"salt\"[/span][span style=\"color:#007700\"]));

[/span][span style=\"color:#FF8000\"]//Just DON\'T do this:
[/span][span style=\"color:#0000BB\"]md5[/span][span style=\"color:#007700\"]([/span][span style=\"color:#0000BB\"]$string[/span][span style=\"color:#007700\"]);
[/span][span style=\"color:#FF8000\"]//because that\'s what the hackers are expecting.

[/span][span style=\"color:#0000BB\"]?>[/span]
[/span][!--PHP-Foot--][/div][!--PHP-EFoot--]

[tjhilder]

md5(md5($string).md5("salt"));

whats the last bit, the .md5("salt") bit do? does it add the word salt to the password? or the word salt encrypted then added to the password? or am i getting the totally wrong idea.

btw, what would you use to try and match the password that is stored in the db, and the password that is entered with the form?

correct me if i'm wrong but would it be something like

if ($password1 == $password2) {
 echo "perfect match!";
}

(i might have forgotten to add some stuff to that but maybe you get my idea.)

[neylitalo]

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]whats the last bit, the .md5("salt") bit do?[/quote] It just makes it harder to brute force. Anything that makes it different than md5($password) will help.