Having trouble with md5()

code_junkie · 01-13-2009, 02:01 PM

I am having trouble understanding the md5() function. Can anyone explain it a little and explain how to implement it into my login script?

Salathe · 01-13-2009, 03:09 PM

The md5() function simply returns a hash of the string that you feed into it. The MD5 hash is usually a 32 character hexadecimal number (a string containing only 0-9 and a-f characters). For an in-depth look at what MD5 does, take a look at the MD5 Wikipedia page but don't get too bogged down in the details as that may confuse you even more.

maZtah · 01-13-2009, 03:14 PM

With md5() you can hash your password. md5 isn't reversible, so you can't reverse the hash back to the original password. Ofcourse there are big databases where you can check a md5 hash against, but when you're also salting the password this won't work.

I feel like md5 together with a salt is generally safe enough to store your passwords. Read more about salts here: Working with Dynamic Cryptography Salts.

So, basically you only have to do:

PHP Code:


			
define('SALT', 'y0urs4lth3r3');

$szPassword = md5(SALT.'your_password');

// You can put $szPassword in the database now.

Dog Cow · 02-03-2009, 09:35 PM

Quote:

Originally Posted by code_junkie

I am having trouble understanding the md5() function. Can anyone explain it a little and explain how to implement it into my login script?

Basically, making an MD5 hash is like making a footprint. It's not actually your foot, but only your foot will match!

In the same case, when a user registers, you make an MD5 hash of his password like this:

Code:

if (isset($_POST['submit']))
{
  // user has submit the registration form

  $password = $_POST['password']; // user's plaintext password as submitted by the form

  // In this example, we will assume the user entered
  // greendog32
  // as his password.

  // Now we make an MD5 hash of this.
  $md5_hash = md5($password);

  // $md5_hash currently looks like this:
  // 742898c83a580b611249ecc2f6cc7a2d

  // More code here would insert this hash into a database
  // The original, plaintext password that the user entered is discarded!

}

Now the thing you have to understand is that with MD5, every possible combination of characters hashes to a completely unique, 32 alphanumeric string. In theory, this is the ideal case, in practice, no.

In example:
the hash of the single letter a is : 0cc175b9c0f1b6a831c399e269772661
and the hash of a similar string, aa is: 4124bc0a9335c27f086f24ba207a4912

Quite different, even though the inputs are similar.

Now, here is part 2! We have the MD5 hash of the user's password stored, which is not the actual password. In theory, there should be only one phrase in the entire world which equals the hash, and that is greendog32.

So, here is what the login script would look like:

Code:

if(isset($_POST['submit']))
{
  // user has submit the login form

  // Here is the plaintext password which the user has entered
  $password = $_POST['password'];

  // Some code here will select the MD5 hash from the database
  $hash_from_database = '742898c83a580b611249ecc2f6cc7a2d';

  // Now what we do here is md5() the password which the user just submitted
  // and see if it equals $hash_from_database

  $hash_from_user = md5($password);

  // Now compare!
  if ($hash_from_user == $hash_from_database)
  {
     echo('You have entered the password correctly! The MD5 hashes matched!');
  }
  else
  {
      echo('You have entered a password other than greendog32. 
      Since the hashes did not match, the password you entered was wrong!');
  }

}

code_junkie · 02-04-2009, 01:12 AM

Quote:

Originally Posted by Dog Cow

Basically, making an MD5 hash is like making a footprint. It's not actually your foot, but only your foot will match!

In the same case, when a user registers, you make an MD5 hash of his password like this:

Code:

if (isset($_POST['submit']))
{
  // user has submit the registration form

  $password = $_POST['password']; // user's plaintext password as submitted by the form

  // In this example, we will assume the user entered
  // greendog32
  // as his password.

  // Now we make an MD5 hash of this.
  $md5_hash = md5($password);

  // $md5_hash currently looks like this:
  // 742898c83a580b611249ecc2f6cc7a2d

  // More code here would insert this hash into a database
  // The original, plaintext password that the user entered is discarded!

}

Now the thing you have to understand is that with MD5, every possible combination of characters hashes to a completely unique, 32 alphanumeric string. In theory, this is the ideal case, in practice, no.

In example:
the hash of the single letter a is : 0cc175b9c0f1b6a831c399e269772661
and the hash of a similar string, aa is: 4124bc0a9335c27f086f24ba207a4912

Quite different, even though the inputs are similar.

Now, here is part 2! We have the MD5 hash of the user's password stored, which is not the actual password. In theory, there should be only one phrase in the entire world which equals the hash, and that is greendog32.

So, here is what the login script would look like:

Code:

if(isset($_POST['submit']))
{
  // user has submit the login form

  // Here is the plaintext password which the user has entered
  $password = $_POST['password'];

  // Some code here will select the MD5 hash from the database
  $hash_from_database = '742898c83a580b611249ecc2f6cc7a2d';

  // Now what we do here is md5() the password which the user just submitted
  // and see if it equals $hash_from_database

  $hash_from_user = md5($password);

  // Now compare!
  if ($hash_from_user == $hash_from_database)
  {
     echo('You have entered the password correctly! The MD5 hashes matched!');
  }
  else
  {
      echo('You have entered a password other than greendog32. 
      Since the hashes did not match, the password you entered was wrong!');
  }

}

Thank you for this post. I played with it for a few minute and I think I understand it now.

Wildhoney · 02-04-2009, 01:50 AM

Well explained, Dog Cow. Another encryption method that is similar to MD5, just longer and of course a different algorithm, is SHA1, which is inherent to PHP using the sha1() function. The principle is exactly the same as MD5.

code_junkie · 02-05-2009, 03:16 PM

Which would be the best way to secure the login?

Sakakuchi · 02-05-2009, 06:41 PM

That's quite simple to answer:

MD5 or SHA1?

You could also use a salt, to make it harder to reverse, read it up here:

Cryptography's Sodium Chloride