Same number of characters in password after md5

Asked

Viewed 1,100 times

5

I’m doing a process of opening a modal and registering a user. User password is modified to md5();

After this the password is with 32 caracteres.

When user will load user data to make an update.

If the password was:

123456
****** <- 6 caracteres

Show in input:

*************************** <- 32 caracteres

Would there be some way to know how much they were before doing the md5(), or perhaps a better approach.

It would be impractical to store the amount of characters in db to accomplish this.

  • In the update the correct would not be to request the password for the user as confirmation? Bringing from the bank is not a good idea. MD5 is no longer safe either, due to dictionary attacks, it might be worth considering using another method.

  • 1

    The ideal is not to display the filled password, I usually leave the password field locked and a checkbox to enable this field, if he wants to update the password, he registers a new password.

  • @Georgewurthmann an Administrator user could change the password of a lower level user without the need to know the password of the user. what other method you would indicate ?

  • 1

    On any site, the password update form comes with empty value or a fixed amount of asterisks. What you want to do of displaying the amount of characters in the password is a security flaw. Related issue: How to decrypt MD5?

  • @Jefersonassis I wish I could show the "****" various systems do this, I just don’t know which approach is the most assertive in this case, on the question of identifying when to change the password is simple, if someone focuses on her I delete it so that he can type in a new one and if it doesn’t change...

  • @Penalty then they put a fixed amount, regardless of password size ?

  • @Gabrielrodrigues exactly, but leave the field empty is the most used, check for example the form to change password here Sopt

  • @Gabrielrodrigues the administrator should not even know the password, only the user should know his own password. The administrator can change the password in the same way as the user resets it. The previous password is 'forgotten' and a new one is assigned. But when I referred to the method, I was talking about cryptography, in this case I indicate that I use Bcrypt. Read more in this question by Sopt: http://answall.com/questions/2402/como-fazer-hash-de-passwords_safesafesafesafesafest

  • 1

    It makes no difference to insert the asterisks. It doesn’t matter what the X site or Y site does.. Normally, serious website that does this merely places some asterisks to illustrate. It is merely visual but has no need whatsoever. And another point they commented on, don’t give any chance for a clue that leads a hacker to understand what the password looks like. If the subject knows that the password has 5 or 8 characters, It is less complicated to break the password because nor will waste time with other sizes, understood?

  • @Danielomine, I understand, the answers were able to answer these questions.

Show 5 more comments

6 answers

4

There is no way to know the number of characters of a md5 hash, precisely because it is one-way, and that is its purpose.

One way to know how much was before would be to save that amount in a database field, which is complements impracticable in the question of safety.

Take the example of some bank sites, you type your password in the input that only goes up to 5 characters and does not display anything else you type after the 5th digit, even if it is just asterisks, or the Linux example, which simply does not show your password while you are typing.

You could do as previously suggested, put a fixed amount in your input and when the user clicks, reset the field, would be the most practical and also the most used solution.

Also try to change your encryption method to use a salt+password, and then generate a hash using SHA512, it is more indicated than just using md5 and run the risk of your password being found in a rainbow table.

And never use user name as salt.

3

Unable to return to md5. Not in a fast and practical way.

I don’t know why you want to display this way, but on my user screens I don’t show the password field. Just a "Change password" link that opens a modal.

3

It’s not possible in a practical way. And, if it’s possible for you, it’s possible for external attackers. If you saw someone doing it, that person is not taking security seriously.

By the way, DON’T USE MD5! MD5 is demonstrably flawed for security purpose. Prefer SHA256, as even SHA1 is already being abandoned for security reasons.

  • A password "12345" encoded in SHA256 or SHA2 or SHA+Something is as insecure as "12345" in MD5.

  • Yes, absolutely. Common passwords are the first thing an attacker will try to use. Just like dictionary words. But this does not invalidate the concern with a strong hash algorithm. It is not just because we can not have 100% security that we will accept 0%.

  • The hash type concern is valid when Rute force is applicable. So it is not 100% certain to state, without explaining the details, that MD5 is unsafe and should migrate to other hashes. Dictionaries and rainbowtables do not include Salts. If the password has salt or a concatenated reinforcement, it already makes a Rainbow table or dictionary invalid. The hacker would have to have access to salt and generate a specific salt-based Rainbow table. If a hacker has access to DB, salt and everything, Oras... the security flaw is not in the hash used.. né rsrsrs

3


Would have some way of knowing how many characters were before doing md5() ?

Not securely! No matter what encryption you use md5, sha1 or sha256 bringing the hash to the client would not be a good way to solve the problem.

There is a better approach ?

The Comment of @Sanção behind 2 approaches:

1 - Leave fields empty.

If the user type something you will understand by the amount of characters in the field that is to do an update.

2 - Set a fixed number of characters.

Case the user of a phocus in the characters delete them and let him type in the new password.

Edit

You can give a placeholder in the input, it is similar to our login screen http://answall.com:

<label>Digite sua Senha:</label>
<br>
<input type="password" placeholder="******* Nova senha" size="25">
<br>
<input type="password" placeholder="******* Confirmar senha" size="25">

  • +1 Exactly, any encryption will return a different has, I just want a way to display to the client the asterisks!

  • Got it, in case, use the second approach!

3

First, by answering the question. Yes, it is possible, if the input value is equal to the existing value in the database before it is encrypted.

Encrypting the input value and compared to the existing value, you get the same return.

function senha($arg){
    $md5 = md5($arg, true);
    return substr($md5, 0, 22);
}

print senha('1234');
print "<br/>";
print senha('1234');

$senha_armazenada = senha('1234');
if($senha_armazenada === senha('1234')){
    print "senha confere";        
} else {
    print "senha nao confere";        
}

However cryptographic functions such as md5, sha1 and hereafter, are considered unfit for such tasks as "easy" to break. Although they seem indestructible, nowadays there is immense processing power and immense techniques to get the true value of this hash.

To create a hash safe, currently there are 2 important factors to take into account:

  • The cost (time the computer will take to generate this hash).
  • salt (a unique increment, which makes hash unique for each case).

The PHP >= 5.5.0 possesses native functions to create, check safe hashes without much effort. For older versions PHP < 5.5.0, there are ways to get the same result, also explained here.

Instead of using md5, you can use the native functions of PHP >= 5.5.0 to create something more secure.

<?php

header("Contet-Type: text/html; charset=utf-8;");

$usuarios = array(
    0 => array(
        'id'=>1,
        'nome'=>'Edilson',
        'hash'=>'$2y$10$i260FJQg7VgsNjXl6s9Mje9aqXUGbfa9L/c8bA2NOUHyDVoyJoyQu'
        ),
    1 => array(
        'id'=>1,
        'nome'=>'Samuel',
        'hash'=>'$2y$10$r1wD4rLLgB1jm6ExF.Em5eyKXdK4Wn8f6z.G9fsxmc3xXay4.pI/O'
        )    
    );


function logar($usuario, $senha){
    global $usuarios;
    foreach($usuarios as $key=>$set){
        if(in_array($usuario, $set)){
            if(password_verify($senha, $set['hash'])){
                return true;
            }
        }
    }
    return false;
}

function cadastrar($usuario, $senha){
    global $usuarios;
    if(!empty($usuario) && !empty($senha)){
        $hash = password_hash($senha, PASSWORD_BCRYPT);
        $id = mt_rand(3,50);
        if(array_push($usuarios, array('id'=>$id, 'nome'=>$usuario, 'hash'=>$hash))){
            return true;
        }
    }
    return false;
}

//var_dump(cadastrar('Edilson','password')); # (true/cadastrado)
var_dump(logar('Edilson', 'password')); # (true/logado)
var_dump(logar('Samuel', '1234')); # (true/logado)print_r($usuarios);

?>

Here for example, the variable $usuarios functions as a table in the database, and when the function logado is called, it looks in this array, the corresponding hash, and compares, through the function password_verify, which returns true if both are equal, or false if the comparison fails.

Recommended:

2

The md5() is irreversible, the encrypted password is not accessible, the amount of characters will always be 32, the rash of the md5 can be repeated even if they have passwords of different characters. One of the safe ways to create passwords is through the password_hash php.net.

<?php
require 'password.php';

$passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);

if (password_verify('bad-password', $passwordHash)) {
    //Senha correta
} else {
    //Senha errada
}

The query for an MD5 will always be through a valid password of type:

'SELECT * FROM TABELA where senha=MD5(:senha)'

Browser other questions tagged

You are not signed in. Login or sign up in order to post.