i have few quesions : 1) is it possible at all to decrypt an md5 encryption? if yes then how? 2)can i encrypt using my own key? thnaks in advance peleg
@AdamGundryJul 16.2004 — #MD5 is a message digest (hashing) algorithm, not an encryption algorithm - it is not possible to decrypt it. What do you mean by point 2? MD5 doesn't use a key.
@ermauJul 16.2004 — #[i]Originally posted by cijori [/i]
[B]While it isn't possible to decrypt it, MD5 hashes can be broken by brute force. [/B][/QUOTE]
This is very true, and while not normally a problem, I know that recently a web site has been put up that you can submit MD5 passwords to and they'll brute-force them and return the original string to you in a couple days. It may be wise to start double-encrypting md5 passwords ( $password = md5(md5($enteredPassword)); )
@NevermoreJul 16.2004 — #[i]Originally posted by ermau [/i]
[B]This is very true, and while not normally a problem, I know that recently a web site has been put up that you can submit MD5 passwords to and they'll brute-force them and return the original string to you in a couple days. It may be wise to start double-encrypting md5 passwords ( $password = md5(md5($enteredPassword)); ) [/B][/QUOTE]
I'm not sure that's exactly necessary - as long as people choose sensible passwords the forcing will take too long to be viable.
@AdamGundryJul 17.2004 — #[i]Originally posted by cijori [/i]
[B]I'm not sure that's exactly necessary - as long as people choose sensible passwords the forcing will take too long to be viable. [/B][/QUOTE]I agree, but if you are really concerned you can always use SHA-1 which returns a 160-or-more bit hash instead of a 128bit hash like MD5 so is even less susceptible to attacks.
On most websites, the password hashing algorithm is probably not the weakest link in the security setup by a long way, as long as you use a reasonable algorithm such as MD5 or SHA-1.