I'm trying to store user passwords in a MySQL database. I learned the
hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
cross-platform, but if I encrypt on the server side with PHP's md5
function, will it work cross-platform (or cross-processor?)
Thank you for any advice
Acrobatic wrote:
> I'm trying to store user passwords in a MySQL database. I learned the
> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> cross-platform, but if I encrypt on the server side with PHP's md5
> function, will it work cross-platform (or cross-processor?)
>
> Thank you for any advice
It should be cross platform, as far as I know.
On Fri, 23 Nov 2007 16:47:23 +0100, Acrobatic
> I'm trying to store user passwords in a MySQL database. I learned the
> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> cross-platform, but if I encrypt on the server side with PHP's md5
> function, will it work cross-platform (or cross-processor?)
md5 should even be cross-language/script. A Perl md5 =3D a PHP md5 =3D a=
MySQL =
md5 =3D a JAVA md5.
You can't decrypt/decode it though (well, at least not practically).
-- =
Rik Wasmus
Rik Wasmus emailed this:
> On Fri, 23 Nov 2007 16:47:23 +0100, Acrobatic
>
>> I'm trying to store user passwords in a MySQL database. I learned the
>> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
>> cross-platform, but if I encrypt on the server side with PHP's md5
>> function, will it work cross-platform (or cross-processor?)
>
> md5 should even be cross-language/script. A Perl md5 = a PHP md5 = a
> MySQL md5 = a JAVA md5.
Yes. MD5 is a standard hash function, unless all software implementations
of MD5 provide exactly the same result, its use is pretty much pointless.
The only reason why one version of MD5 could give a different result from
another is if one of them has not implemented the algorithm correctly, in
which case it is not an implementation of MD5 at all but is a flawed
variation of it.
More Info.:
http://en.wikipedia.org/wiki/Md5
On Nov 23, 8:47 am, Acrobatic
> I'm trying to store user passwords in a MySQL database. I learned the
> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> cross-platform, but if I encrypt on the server side with PHP's md5
> function, will it work cross-platform (or cross-processor?)
>
> Thank you for any advice
Not exactly your question, but an often useful tidbit none-the-less:
On a linux server, if you want to generate an md5hash
from the command line, that would duplicate what would also
be generated from php, you have to remember to echo -n
(print to the console without a newline at the end of your string).
I do this, for instance, when manually adding new users into
an authentication database.
`echo -n obama` produces the same hash as md5("obama") in php.
`echo obama` does not......
On Nov 23, 11:47 am, salmobytes
> On Nov 23, 8:47 am, Acrobatic
>
> > I'm trying to store user passwords in a MySQL database. I learned the
> > hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> > cross-platform, but if I encrypt on the server side with PHP's md5
> > function, will it work cross-platform (or cross-processor?)
>
> > Thank you for any advice
>
> Not exactly your question, but an often useful tidbit none-the-less:
>
> On a linux server, if you want to generate an md5hash
> from the command line, that would duplicate what would also
> be generated from php, you have to remember to echo -n
> (print to the console without a newline at the end of your string).
> I do this, for instance, when manually adding new users into
> an authentication database.
>
> `echo -n obama` produces the same hash as md5("obama") in php.
>
> `echo obama` does not......
echo -n obama | md5sum that is
Matthew wrote:
> Yes. MD5 is a standard hash function, unless all software implementations
> of MD5 provide exactly the same result, its use is pretty much pointless.
> The only reason why one version of MD5 could give a different result from
> another is if one of them has not implemented the algorithm correctly, in
> which case it is not an implementation of MD5 at all but is a flawed
> variation of it.
Well, in a language that uses null-terminated strings, a case could be
made for or against including the null in the hash's input string. This
could lead to two possible results for one input.
Also, although it's customary to hex-encode the output of an MD5 hash (as
PHP's md5() function does), it could be shown in decimal, octal or some
other base, in which case, although the result would be the same, it would
*look* very different, and a simple string comparison would class them as
different. Also even with hex-encoded MD5s, you need to make sure that the
comparison is case-insensitive.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 6 min.]
It'll be in the Last Place You Look
http://tobyinkster.co.uk/blog/2007/11/21/no2id/
Rik Wasmus wrote:
> You can't decrypt/decode it though (well, at least not practically).
Well, you can't at all, because for any given MD5 hash, there are infinite
possible inputs which could have generated it. So even if you manage to
find an input which produces that value as its output (which is more or
less an enormous brute-force search), you can't be sure that it's the same
as the original input.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 9 min.]
It'll be in the Last Place You Look
http://tobyinkster.co.uk/blog/2007/11/21/no2id/
Toby, I think you are mistaken.
In theory, every md5 hash is unique. An md5 hash is bound to a single
unique input. If a brute-force matches a has, THAT is the original
input.
Regards,
Kailash Nadh
http://kailashnadh.name
On Nov 23, 7:13 pm, Toby A Inkster
wrote:
> Rik Wasmus wrote:
> > You can't decrypt/decode it though (well, at least not practically).
>
> Well, you can't at all, because for any given MD5 hash, there are infinite
> possible inputs which could have generated it. So even if you manage to
> find an input which produces that value as its output (which is more or
> less an enormous brute-force search), you can't be sure that it's the same
> as the original input.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 9 min.]
>
> It'll be in the Last Place You Look
> http://tobyinkster.co.uk/blog/2007/11/21/no2id/
On Mon, 26 Nov 2007 04:22:41 +0100, Kailash Nadh
wrote:
> On Nov 23, 7:13 pm, Toby A Inkster
> wrote:
>> Rik Wasmus wrote:
>> > You can't decrypt/decode it though (well, at least not practically).
>>
>> Well, you can't at all, because for any given MD5 hash, there are
>> infinite
>> possible inputs which could have generated it. So even if you manage to
>> find an input which produces that value as its output (which is more or
>> less an enormous brute-force search), you can't be sure that it's the
>> same
>> as the original input.
> Toby, I think you are mistaken.
> In theory, every md5 hash is unique. An md5 hash is bound to a single
> unique input. If a brute-force matches a has, THAT is the original
> input.
No, Toby is right: different input can generate the same output (if not,
we would have found a great ZIP functionality, didn't we? If we can md5 a
file, and every md5 is unique yet limited to a certain length, you could
put all books into one file, and md5 it. If a md5 is unique, it is
reversable.). Brute force cracking involves guessing at original input
length & propability of input. It can be done (with 'propabilities of
input', it's not something hackers would like to spend their CPU cycles on
though.
--
Rik Wasmus
Kailash Nadh wrote:
> On Nov 23, 7:13 pm, Toby A Inkster
> wrote:
>> Rik Wasmus wrote:
>>> You can't decrypt/decode it though (well, at least not practically).
>> Well, you can't at all, because for any given MD5 hash, there are infinite
>> possible inputs which could have generated it. So even if you manage to
>> find an input which produces that value as its output (which is more or
>> less an enormous brute-force search), you can't be sure that it's the same
>> as the original input.
>>
>> --
>> Toby A Inkster BSc (Hons) ARCS
>> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
>> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 9 min.]
>>
>> It'll be in the Last Place You Look
>> http://tobyinkster.co.uk/blog/2007/11/21/no2id/
>
>
> Toby, I think you are mistaken.
> In theory, every md5 hash is unique. An md5 hash is bound to a single
> unique input. If a brute-force matches a has, THAT is the original
> input.
>
> Regards,
> Kailash Nadh
> http://kailashnadh.name
>
(Top posting fixed)
Wrong. A MD5 hash results in a 32 byte value. Theoretically there are
a (near) infinite number of hashes which can be resolved to a the same
hash. If it were unique, it would be the best compression algorithm
known to programmers.
And please don't top post. Thanks.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
On Nov 26, 4:08 am, Jerry Stuckle
> KailashNadhwrote:
> > On Nov 23, 7:13 pm, Toby A Inkster
> > wrote:
> >> Rik Wasmus wrote:
> >>> You can't decrypt/decode it though (well, at least not practically).
> >> Well, you can't at all, because for any given MD5 hash, there are infinite
> >> possible inputs which could have generated it. So even if you manage to
> >> find an input which produces that value as its output (which is more or
> >> less an enormous brute-force search), you can't be sure that it's the same
> >> as the original input.
>
> >> --
> >> Toby A Inkster BSc (Hons) ARCS
> >> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> >> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 9 min.]
>
> >> It'll be in the Last Place You Look
> >> http://tobyinkster.co.uk/blog/2007/11/21/no2id/
>
> > Toby, I think you are mistaken.
> > In theory, every md5 hash is unique. An md5 hash is bound to a single
> > unique input. If a brute-force matches a has, THAT is the original
> > input.
> >
> > Regards,
> >KailashNadh
> >http://kailashnadh.name
> >
>
> (Top posting fixed)
>
> Wrong. A MD5 hash results in a 32 byte value. Theoretically there are
> a (near) infinite number of hashes which can be resolved to a the same
> hash. If it were unique, it would be the best compression algorithm
> known to programmers.
>
> And please don't top post. Thanks.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
Ah, my mistake.
Regards,
Kailash Nadh
http://kailashnadh.name
Kailash Nadh wrote:
> In theory, every md5 hash is unique. An md5 hash is bound to a single
> unique input. If a brute-force matches a has, THAT is the original
> input.
As everyone else has pointed out, MD5s are not unique. Here's a thought
experiment which proves it.
An MD5 is a 128-bit number. Thus there are 2^128 possible MD5 outputs.
If we consider all possible files of length 17 bytes (136 bits), then
you'll notice that there are 2^136 possible MD5 inputs.
Now, (2^136)/(2^128) = 2^8 = 256. Which means that for every MD5 input,
there are (on average) 256 different files of length 17 bytes which can
produce that result.
And that's just collisions with files of length 17 bytes. When you
consider files with length 18 bytes, there are over 65000 collisions for
each MD5 result. Imagine how many possible collisions there are with files
in the kilobyte or megabyte size range!
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 2 days, 14:54.]
It'll be in the Last Place You Look
http://tobyinkster.co.uk/blog/2007/11/21/no2id/