PHP Forum

**bharanikumarphp** · 03-04-2008, 05:57 AM

dears
having password in my db..

how to decript that md5 value ..

thanks in advance

**mtishetsky** · 03-04-2008, 07:09 AM

Brute force is the only way, but it will take years. Better change that password.

**Pash** · 03-04-2008, 08:38 AM

You dont need to decrypt it, md5 is one-way encryption. You just compare the password submited with the one in the database and see if they match.

**NullPointer** · 03-04-2008, 03:27 PM

So long as the hash wasn't generated using a salt there is a decent chance that you can generate a collision in a reasonable amount of time. My concern is, why do you need to decrypt a password in your own database. Couldn't you just change the hash to that of a password you already know?

**colbyt** · 03-04-2008, 03:53 PM

Quote:

Originally Posted by NullPointer

So long as the hash wasn't generated using a salt there is a decent chance that you can generate a collision in a reasonable amount of time. My concern is, why do you need to decrypt a password in your own database. Couldn't you just change the hash to that of a password you already know?

And if you need one to plug in there one of us can help you out with a generic one. Then once you login you just change it again.

**rogem002** · 03-04-2008, 04:06 PM

MD5 is a one-way encryption, meaning the only way to find out what something (for example a password in a database) is to go through every combination.

Some websites have done this (Look for md5 rainbow tables), though this is limited to basic words/phrases.

**Arenlor** · 03-05-2008, 12:22 AM

http://www.md5decrypter.com/ one of my favorite sites.

**mtishetsky** · 03-05-2008, 12:54 AM

Well yeah, very good site.

Md5 Hash: dc226fbd97143b2b1a2a38d8895bf743
A decryption for this hash wasn't found in our database

**Arenlor** · 03-05-2008, 01:02 AM

Yeah they don't have them all, but it's useful to run your password's MD5 through there to see.

**NullPointer** · 01:24 AM

That site is the reason why passwords should be encrypted with a salt. vBulletin does it and so should you

Better yet, don't use md5 at all. Use sha1 and a salt and the chances of your passwords being decrypted are virtually zero. The added entropy also prevents collisions

**mtishetsky** · 03-05-2008, 02:01 AM

Wtf. If your password is not qwerty or 123 or any dictionary word there is no difference between sha1 and md5 because both will take infinity to decrypt if the only way to check the password is applying it to login form. And considering that to decrypt the password you should first obtain its hash in some way the task becomes completely impossible.

**NullPointer** · 03-05-2008, 02:19 AM

Quote:

Originally Posted by mtishetsky

Wtf. If your password is not qwerty or 123 or any dictionary word there is no difference between sha1 and md5 because both will take infinity to decrypt if the only way to check the password is applying it to login form. And considering that to decrypt the password you should first obtain its hash in some way the task becomes completely impossible.

Are you saying you should assume that the users of the application you code will know better than to use dictionary words as passwords? Besides, I am not suggesting that a brute force attack be used to decrypt either, there are better ways.

http://en.wikipedia.org/wiki/Sha1#Cr...lysis_of_SHA-1

**mtishetsky** · 03-05-2008, 03:50 AM

I guess that if your data is so valueable that the password decryption can be used there are better ways to steal that data, e.g. using system security holes, not the script ones.