return back the value generated using MD5 fubction

**dafodil** · Jul 31 '07, 04:10 AM

After a few argument with volectricity about hashing I came to a point to understand that hashing cannot be decrypted. The only way you can check if the hashed data is the same is by storing a hashed data to your db and comparing it to user input by hashing it.

MD5 returns a hashed data.

What you need is a two way encryption function.

**eros** · Jul 31 '07, 04:33 AM

Originally posted by dafodil

After a few argument with volectricity about hashing I came to a point to understand that hashing cannot be decrypted. The only way you can check if the hashed data is the same is by storing a hashed data to your db and comparing it to user input by hashing it.

MD5 returns a hashed data.

What you need is a two way encryption function.

Please correct me if my understanding is wrong.

I will create a list of hashed data by md5 and corresponding real values? Maybe it is adding another field or another table?

What do you mean by two-way encryption function?

**eros** · Jul 31 '07, 04:36 AM

It means that if the site have a capabilities to send back the original password is not using a md5 function.. maybe created their own encryption function, that's they can decrypt the data. Or they are not using any encryption in storing passwords in the database.

**dafodil** · Jul 31 '07, 04:47 AM

Originally posted by eros

Please correct me if my understanding is wrong.

I will create a list of hashed data by md5 and corresponding real values? Maybe it is adding another field or another table?

What do you mean by two-way encryption function?

MD5 is only one way encryption that means you cannot decrypt it. You cannot retrieve the old value. The only way is by comparing the stored hashed data on the database.

For example:
use md5:
apple=EDFAB
store EDFAB to database.
you need to allow user to input his password again:
apple
and use the md5 again to compare it.
EDFAB=EDFAB

I suggest you to use mcrypt: http://www.php.net/manual/en/ref.mcrypt.php

If you want to decrypt what you have encrypted.

**eros** · Jul 31 '07, 05:54 AM

return back the value generated using MD5 fubction (SOLVED)

Originally posted by dafodil

MD5 is only one way encryption that means you cannot decrypt it. You cannot retrieve the old value. The only way is by comparing the stored hashed data on the database.

For example:
use md5:
apple=EDFAB
store EDFAB to database.
you need to allow user to input his password again:
apple
and use the md5 again to compare it.
EDFAB=EDFAB

I suggest you to use mcrypt: http://www.php.net/manual/en/ref.mcrypt.php

If you want to decrypt what you have encrypted.

Thanks a lot...I study on how to excute mcrypt in PHP.

**nathj** · Jul 31 '07, 05:56 AM

Originally posted by dafodil

If you want to decrypt what you have encrypted.

Remember, if you can decrypt so can someone else. I suggest sticking with hashing and if they forget their password, have them prove who they are and then generate a new password - they can always change it when they log in next.

I think, and it's really just opinion, that being able to decrypt the password is not smart. Sticking with hashing, it's safer.

Cheers
nathj

**eros** · Jul 31 '07, 08:41 AM

Originally posted by nathj

Remember, if you can decrypt so can someone else. I suggest sticking with hashing and if they forget their password, have them prove who they are and then generate a new password - they can always change it when they log in next.

I think, and it's really just opinion, that being able to decrypt the password is not smart. Sticking with hashing, it's safer.

Cheers
nathj

I see... yeah I realized... hihih ;) thanks you very much..I regenerate a new password then email to their respective email account then just change it after.

Thanks again. I will for MD5 function of PHP.

**kovik** · Jul 31 '07, 12:01 PM

Originally posted by eros

I see... yeah I realized... hihih ;) thanks you very much..I regenerate a new password then email to their respective email account then just change it after.

Thanks again. I will for MD5 function of PHP.

Don't use MD5. It's so outdated and weak. I'd suggest SHA-256, but SHA-1 is easily available through PHP, so use it.

[php]$pass = sha1($_POST['password']);[/php]

**eros** · Aug 2 '07, 05:21 AM

Originally posted by volectricity

Don't use MD5. It's so outdated and weak. I'd suggest SHA-256, but SHA-1 is easily available through PHP, so use it.

[php]$pass = sha1($_POST['password']);[/php]

It is advisable? and it is the common practice?

**dafodil** · Aug 2 '07, 05:25 AM

There are already security flaws for Sha-1 and MD5. You can check this site to see the available hash functions.

Cryptographic hash function - Wikipedia

http://en.wikipedia.org/wiki/Cryptographic_hash_functions

**kovik** · Aug 2 '07, 08:39 PM

Originally posted by eros

It is advisable? and it is the common practice?

It's stronger, but just as easily available for use, so there's really no reason to use MD5 over SHA-1.

return back the value generated using MD5 fubction

return back the value generated using MD5 fubction

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment