MD5 Hash Unencryption - Page 2 - Computer Programmers, Programming Forum

Aepos · #11 07-16-2008

Well, heck, I don't want to break into any Databases. If you really wanna look at SQL Injections, and what-not, then Google "milw0rm."

Stephen Bryant · #12 07-16-2008

Quote:

Karan Bhangui originally posted:

I'm not sure how effective this is, but to greatly increase the time taken by brute forcing, I've heard people including a php execution pause (of a few seconds) between checking for password authenticity, and sending a reply back to the browser. Any ideas if there is any point to doing this?

That would work for brute-forcing a password on a webpage itself. However, most of the time, the attacker has the hash, and is able to do it locally. Cracking an MD5 over a webserver could take... centuries.

hot_cakes · #13 07-16-2008

You often won't need to find a password, merely a collision. To this end, MD5 is thoroughly useless for crypto purposes.

"It may be expected that [...] the overall time for finding a complete collision can fall down to as less as 2 minutes on a PC notebook"

SHA1 is weakened in light of recent research. If you're serious about keeping data safe, use one of the later SHAs.

Edd

Mike Tomasello · #14 07-16-2008

Hashing is not primarily for the purposes of making your log-in scheme (or whatever) more secure, but rather for protecting your user's log-in details should your database be compromised. Collisions, therefore, are not the major issue - you should focus more on getting an algorithm that is computationally expensive enough to be impractical to brute force but fast enough to be used in (say) a log-in script.

If you're simply trying to make your log-in system more secure, consider enforcing stricter password policies, expiring passwords, requiring additional information at log-in (e.g. 'secret questions') or other forms of verification.

gorda001 · #15 07-16-2008

Quote:

Mike Tomasello originally posted:

If you're simply trying to make your log-in system more secure, consider enforcing stricter password policies, expiring passwords, requiring additional information at log-in (e.g. 'secret questions') or other forms of verification.

God no. If a website says that my password is too insecure then I'm just going to click the back button. No way am I remembering a separate password just for that website. ADC requires that I change my password every year so I just have two accounts so I can switch the passwords on each

Don't make users change their passwords.

Nick Presta · #16 07-16-2008

If you're really worried about your hash being unsafe, use something like SHA 512 or a whirlpool hash function.

Aepos · #17 07-16-2008

Quote:

gorda001 originally posted:

God no. If a website says that my password is too insecure then I'm just going to click the back button. No way am I remembering a separate password just for that website. ADC requires that I change my password every year so I just have two accounts so I can switch the passwords on each

Don't make users change their passwords.

I'm really not trying to make it safer. I'm just in the developing stages for now. As for expiring passwords, it's really not the 'shiniest hook' to be dragging in users with, as Gorda explained.

Mike Tomasello · #18 07-17-2008

Quote:

gorda001 originally posted:

God no. If a website says that my password is too insecure then I'm just going to click the back button. No way am I remembering a separate password just for that website. ADC requires that I change my password every year so I just have two accounts so I can switch the passwords on each

Don't make users change their passwords.

It is only one of many options. It is inconvenient for frivolous sites like YC, but for enterprise security or banking (amongst other things) then perhaps a necessary evil. Would you leave your bank because their web-site security is too stringent? Sometimes I wish there was an option to go into an 'insecure mode' and let me suffer the consequences dammit! But I guess I wouldn't quite feel like that if my money was stolen and the bank refused to cover me because I opted out of their security.

Quote:

Nick Presta originally posted:

If you're really worried about your hash being unsafe, use something like SHA 512 or a whirlpool hash function.

What would be better in terms of brute force strength is an iterative function like PBKDF2, even with something like SHA1.

Scripten · #19 07-19-2008

It`s called encryotor and heres the code to a encrytptor and decryptor for MD5 hashes, so i hope you like it:

PHP Code:


			
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> 
<center> 
<?php 

if (isset($_POST['submit'])) { 

$_POST['pass'] = stripslashes($_POST['pass']); 
$pass = $_POST['pass']; 

$passkod = md5("$pass"); 

} 
?> 

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="POST"> 
<table width=100% border=1 cellspacing=0 cellpadding=10> 

<tr></font></td><input class="inputbox" type="pass" name="pass" size="30"></td></td> 

<input type="submit" name="submit" value= "Encrypt"> 
</td> 
</tr> 
</table> 
</form> 
<? 
echo("$pass: $passkod"); 
?> 

<form method="post" enctype="multipart/form-data"> 
<input type="text" name="md5"><input type="submit" value="Decrypt"> 
<br> 
<?php 
set_time_limit(0); 
$md5 = $_POST['md5']; 
if ($md5) { 
$char = array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '!', '@', '#', '$', '%', '^', '&', '*', '(', ')', '-', '_', '=', '+'); 
foreach ($char as $a) { 
$i="$a"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
$i="$a$b"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
$i="$a$b$c"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
$i="$a$b$c$d"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
foreach ($char as $e) { 
$i="$a$b$c$d$e"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
foreach ($char as $e) { 
foreach ($char as $f) { 
$i="$a$b$c$d$e$f"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
foreach ($char as $e) { 
foreach ($char as $f) { 
$i="$a$b$c$d$e$f"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
foreach ($char as $e) { 
foreach ($char as $f) { 
foreach ($char as $g) { 
$i="$a$b$c$d$e$f$g"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
foreach ($char as $e) { 
foreach ($char as $f) { 
foreach ($char as $g) { 
foreach ($char as $h) { 
$i="$a$b$c$d$e$f$g$h"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
} 
} 
} 
} 
foreach ($char as $a) { 
foreach ($char as $b) { 
foreach ($char as $c) { 
foreach ($char as $d) { 
foreach ($char as $e) { 
foreach ($char as $f) { 
foreach ($char as $g) { 
foreach ($char as $h) { 
foreach ($char as $i) { 
$i="$a$b$c$d$e$f$g$h$i"; 
$hash = md5($i); 
if ($hash == $md5) { 
die("$md5: $i"); 
} 
} 
} 
} 
} 
} 
} 
} 
} 
} 
} 

?> 
</form>