Same number of characters in the password after md5

5

I'm doing a process of opening a modal and registering a user. The user's password is changed to md5() ;

After this the password gets with 32 caracteres .

When the user is going to load the user data to do an update.

If the password were:

123456
****** <- 6 caracteres

Show in input:

*************************** <- 32 caracteres

I would have some way of knowing how much they were before doing md5() , or maybe a better approach.

It would be unfeasible to store the amount of characters in db to accomplish this.

    
asked by anonymous 18.11.2015 / 13:50

6 answers

3

Would you have any way of knowing how many characters you were before you did md5 ()?

Safely do not! Regardless of the encryption you will use md5 , sha1 or sha256 bringing the hash to the client would not be a good way to resolve the problem. / p>

Is there a better approach?

Comment of @Sanção behind 2 approaches:

1 - Leave the fields empty.

If you type something you will understand the amount of characters in the field that is to make an update.

2 - Define a fixed number of characters.

If the user of a focus on the characters delete them and let him enter the new password.

Edit

You can give a placeholder in the input, it's similar to the login screen of our link :

<label>Digite sua Senha:</label>
<br>
<input type="password" placeholder="******* Nova senha" size="25">
<br>
<input type="password" placeholder="******* Confirmar senha" size="25">
    
18.11.2015 / 17:07
4

There is no way to know the number of characters in an md5 hash, precisely because it is one-way, and that is its purpose.

One way to know how much it was before would be to save that amount in a database field, which is completely unfeasible in the security issue.

See the example of some bank sites, you enter your password in the input that only goes up to 5 characters and does not display anything else you type after the 5th digit, even if it is just asterisks, or the Linux example, that simply does not show your password while you are typing.

You could do as previously suggested, put a fixed amount in your input and when the user clicks, clear the field, would be the most practical and also the most used solution.

Also try changing your encryption method to use a salt + password, and then generating a hash using SHA512, is more appropriate than just using md5 and risking your password to be found on a rainbow table. / p>

And never use the user name as salt .

    
18.11.2015 / 17:14
3

Can not get md5 back. Not in a practical and quick way.

I do not know why I want to display it this way, but on my user screens I do not show the password field. Just a "Change password" link that opens a modal.

    
18.11.2015 / 13:57
3

This is not practical. And, if it is possible for you, it is because it is possible for external attackers. If you saw someone doing it, that person is not taking security seriously.

By the way, DO NOT USE MD5 ! MD5 is demonstrably flawed for security purpose. It prefers SHA256, because even SHA1 is already being abandoned for security reasons.

    
18.11.2015 / 14:24
3

First, answering the question. Yes, it is possible, if the input value is equal to the value in the database before being encrypted.

Encrypting the input value and comparing it with the existing value gives the same return.

function senha($arg){
    $md5 = md5($arg, true);
    return substr($md5, 0, 22);
}

print senha('1234');
print "<br/>";
print senha('1234');

$senha_armazenada = senha('1234');
if($senha_armazenada === senha('1234')){
    print "senha confere";      
} else {
    print "senha nao confere";      
}

However cryptographic functions such as md5, sha1 and so on are considered unsuitable for tasks like these because they are "easy" to break. Although they seem indestructible, there is tremendous processing power and immense techniques to get the true value of this hash.

To create% secure%, there are currently 2 important factors to take into account:

  • The cost (time the computer will take to generate this hash).
  • The salt (a unique increment, which makes hashes unique to each case).

hash has native functions to create, check secure hashes, without much effort. For older versions PHP >= 5.5.0 , there are ways to get the same result, also explained #

Instead of using PHP < 5.5.0 , you can use the native functions of md5 to create something more secure.

<?php

header("Contet-Type: text/html; charset=utf-8;");

$usuarios = array(
    0 => array(
        'id'=>1,
        'nome'=>'Edilson',
        'hash'=>'$2y$10$i260FJQg7VgsNjXl6s9Mje9aqXUGbfa9L/c8bA2NOUHyDVoyJoyQu'
        ),
    1 => array(
        'id'=>1,
        'nome'=>'Samuel',
        'hash'=>'$2y$10$r1wD4rLLgB1jm6ExF.Em5eyKXdK4Wn8f6z.G9fsxmc3xXay4.pI/O'
        )   
    );


function logar($usuario, $senha){
    global $usuarios;
    foreach($usuarios as $key=>$set){
        if(in_array($usuario, $set)){
            if(password_verify($senha, $set['hash'])){
                return true;
            }
        }
    }
    return false;
}

function cadastrar($usuario, $senha){
    global $usuarios;
    if(!empty($usuario) && !empty($senha)){
        $hash = password_hash($senha, PASSWORD_BCRYPT);
        $id = mt_rand(3,50);
        if(array_push($usuarios, array('id'=>$id, 'nome'=>$usuario, 'hash'=>$hash))){
            return true;
        }
    }
    return false;
}

//var_dump(cadastrar('Edilson','password')); # (true/cadastrado)
var_dump(logar('Edilson', 'password')); # (true/logado)
var_dump(logar('Samuel', '1234')); # (true/logado)print_r($usuarios);

?>

Here, for example, the PHP >= 5.5.0 variable functions as a table in the database, and when the $usuarios function is called, it looks in that array, the corresponding hash, and compares, through logado which returns true if both are equal, or false if the comparison fails.

Recommended:

18.11.2015 / 18:44
2

The md5() is irreversible, the encrypted password is not accessible, the number of characters will always be 32, the md5 rash may repeat even though they have passwords of different characters. One of the sure ways to create passwords is through php.net password_hash .

<?php
require 'password.php';

$passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);

if (password_verify('bad-password', $passwordHash)) {
    //Senha correta
} else {
    //Senha errada
}

The query for an MD5 will always be via a valid password of the type:

'SELECT * FROM TABELA where senha=MD5(:senha)'
    
18.11.2015 / 18:12