[HELP]Password script

[Necron33]

Hello, recently i was writing a small PHP script that returns the user password to his email from the account table.
I came accros one thing only, Decrypting MD5 Hashes in order to send the password to the E-Mail, i thought it was impossible, if it was that, How can i make it that it needs confirmation from the email to re-set the password.

Thank you,
Necron33

[funhacker]

No you can't decrypt MD5 the best way this is possible is to have another table that stores the password without MD5 along with the account id. Otherwise you have to reset and just send without the md5 encryption of course.

[SoulNecturn]

funhacker has right - dont even try to write scrypt that will decrypt MD5...

If you wanna make register page and resend pass page use this though:

- prepare register page that will be encrypting pass to MD5 (so all data will be safely stored)
- prepare send back pass page - that in real will be sending on chosen e-mail NEW password that will/can be randomly generated and automatically encrypted via MD5 (+saved under old pass)...
this is best reasonable way to do actions like this...

of course you can chose other ways - like restoring pass without resending new pass - but just chnaging it under page for your new one after filling out on some questions (that was asked during registration and was stored along with old pass and login) = way of "secret questions"

thats how it works more less

[rexes13]

lol....there are ways to do it...there are some standard functions used in some languages that do this part ...i can search it Necron and tell u...

[SoulNecturn]

Quote:

Originally Posted by rexes13

lol....there are ways to do it...there are some standard functions used in some languages that do this part ...i can search it Necron and tell u...

pffff good luck in your journeys bheh

you see MD5 is ONE WAY encryption...
even all hackers tries focusing on getting certain pass from MD5 are based on comparison like:

system has already big database of examples - word | MD5 encrypted
while searching for this word - system is just comparing to this database with examples... - thats how it works...

so like I said good luck in your journeys in finding something that was in the beginning impossible since thats how MD5 was made and for whats most important

Regards

[funhacker]

Quote:

Originally Posted by rexes13

lol....there are ways to do it...there are some standard functions used in some languages that do this part ...i can search it Necron and tell u...

as soul is saying rexes you can't decrypt md5, most use what they call rainbow tables. These are tables with 2 fields pretty much.
[MD5HASH][WORD]

MD5HASH has the md5 encrypted version of the WORD field.

You input a md5 hash code and it searches this table (takes a VERY long time if any good) and will rarely return a result. Unless the password is common like password, D.O.B. etc.
If it is random letters and numbers you wont get it from any MD5 tables.

[King_Arthur]

Also note that the md5s are salted, so no rainbow table out there will help you since they are generally unsalted general md5 rainbow tables. Also the idea behind a "hash" is that they are one-way only.

And I suggest you do not do the separate field storing the plain-text password. Anyone with db access would be able to see everyone's password and if you have a leak of your database as a certain someone did not to long ago then your server is screwed in a matter of seconds.

[Necron33]

I am following what Souler said, what if people abused that and kept changing passes is it just-resends new passwords to email with out confirmation, you can read that above.

[SoulNecturn]

then if you want to be sure that someone wont abuse it by for example friend who knows someone login and his e-mail (where both you must put proper to send new pass) ... just add to this additional question so it could look like this:

your ID:
your e-mail address:
question-> Whats your mother name
answer:

and then it will be super hight to be abused ... but normally I believe this login and e-mail should be just enough



OR - just make limit ... for example 3 changes per day week etc

[Necron33]

Thanks. .

[PowerChaos]

eum , i like to give commend on the decrypting of md5

there is a way to decrypt it and to change it
its kinda easy how it is done

only 1 problem , you need to have it decrypted with a value of numbers (check numbers)
if you encrypt it random then you cant decrypt it

the numbers are the 'ramdom' generating of it , if you use the same numbers then it can decrypt it like before

Greets From The Crasher

[funhacker]

Quote:

Originally Posted by The Crasher

eum , i like to give commend on the decrypting of md5

there is a way to decrypt it and to change it
its kinda easy how it is done

only 1 problem , you need to have it decrypted with a value of numbers (check numbers)
if you encrypt it random then you cant decrypt it

the numbers are the 'ramdom' generating of it , if you use the same numbers then it can decrypt it like before

Greets From The Crasher

....You can not decrypt MD5.

The reason behind MD5 is for passwords it means if a servers security is breached people's accounts are not lost.
If a file has been tampored with to contain a virus when someone posts the MD5 hash it should be along with it then you know because these things can not be tampored with.

There is just some math that can not be reversed.

Yes you could decrypt MD5 IF you knew atleast 1 or 2 letters contained within the password that's about all your chances are.

If BOB = 4032
Then what does
2625000 equal?
I will give you a hint at least it's a fruit of some kind. You can't guess either you have to have a mathematical reason to why you think it is what it is.

[Necron33]

Decrypting MD5 can be done.
not through PHP, through C++.
If you look at the core account server code, you would find so .

[funhacker]

Quote:

Originally Posted by Necron33

Decrypting MD5 can be done.
not through PHP, through C++.
If you look at the core account server code, you would find so .

Seriously dude the only way you are going to reverse the hash into an actual word/sentence etc. is if you had a program repeatedly come up with random letters numbers and symbols until it found an md5 that matched. But ultimately this is still not decrypting and it is VERY ineffective specially running for a password recovery.

But now thinking about it is this because you are starting another server or are you trying to use existing md5hash passwords and logins that you may of obtained from another game/server?

[PowerChaos]

funhacker , you say you cant decrypt md5
let me proof you that it is posseble on a simple way

if you go to your db , the password is entered in md5
now , go to a forum and get the same password , it got other numbers but it is still the same password but it is created with other value's

so the password md5 of your forum will never work into eudemons , the value is wrong (still same password )

now a other funny thing
a password get decrypted to check if it is the same password with the same value
every code can be decrypted , it use the same way as encrypting but then to the other direction

the only thing you need is the value that it use to encrypt and then you can decrypt

basicly , if you use the forum password to decrypt with the wrong value's then you get a differend password
if you use it with the right value then you get exact the same

hardest part , try to get the value

for the rest , everything that you can encrypt can be decrypted , no mather what code it is
there are no safe ways of unencrypted data
els they would use only md5 as the safest way and not other encrypting methodes
and in case of intrests just follow this link
MD5 - Wikipedia, the free encyclopedia
Encryption - Wikipedia, the free encyclopedia

Thank you
Greets From The Crasher