0

Implementing a service that posts a user's ID and an MDG-hashed password to my server for verification.

We store hashes passwords that are generated using the password_hash() function in PHP >5.5.

Is there any way to verify the MD5 hash and our hash point to the same password?

Normally, a password would be submitted to us via a login form and we would verify with password_verify() but without the password in plain text I'm at a bit of a loss.

MrTux
  • 32,350
  • 30
  • 109
  • 146
Steven Sokulski
  • 354
  • 1
  • 4
  • 17
  • 1
    Not unless you use the same hashing mechanism, seed, etc. – Jay Blanchard Sep 24 '14 at 17:56
  • Jay's right. You can keep the password rows while getting your users to update their passwords (*force them to*) using the new hashing method. The new password column could be marked as "verified". Then, setup your login with a WHERE clause for the `WHERE pw='verified'` – Funk Forty Niner Sep 24 '14 at 17:57
  • See this answer http://stackoverflow.com/a/18906896/ you can check and convert against MD5 passwords to the new `password_hash()` method. You can further your research by Googling "convert md5 to password_hash php" – Funk Forty Niner Sep 24 '14 at 18:06
  • Currently, we store the result of password_hash() in the database. But a vendor wants to send us MD5 hashed values when users try to login via their service. I'm going to keep it simple and insist that they implement password_verify() and we'll provide them with the hashed value to perform comparison. – Steven Sokulski Sep 24 '14 at 18:49
  • @StevenSokulski Your comment above should have been inside your question from the beginning. I would have been able to provide you with a detailed answer, including the link I've already provided above in order to convert the MD5 to `password_hash()`. Your question was a bit unclear. Details as such are important. – Funk Forty Niner Sep 24 '14 at 19:03
  • @Fred-ii- Sorry 'bout that. I thought I was being pretty clear when I said I needed to verify that a submitted MD5 hashed value and my value created using the password_hash() function point to the same source value. Based on your link (and others about converting MD5 to passworDd_hash()) I would need the password in plaintext, which I won't have. Makes sense. Thanks! – Steven Sokulski Sep 24 '14 at 19:19
  • @StevenSokulski I understand. Getting the password in plaintext is possible, yet I'm under the impression the vendor doesn't want to provide it, which makes sense if you think about it ;) - However, if and when you do get one, this can easily be converted from one format to another. Oh, and you're very much welcome. I'm just glad you found your solution, *cheers*. – Funk Forty Niner Sep 24 '14 at 19:22

2 Answers2

0

Normally, a password would be submitted to us via a login form and we would verify with password_verify() but without the password in plain text I'm at a bit of a loss.

As long as you use secure transport (SSL), this won't be an issue. That's the standard way that this is done. Otherwise you'll need to implement the hashing mechanism used by password_hash() in your client. Doing this wouldn't make your security scheme any better. It's still susceptible to replay attacks.

Also, you should stay away from MD5 because it's broken.

Samuel
  • 16,923
  • 6
  • 62
  • 75
  • I don't think that's what the question is about. I think it's more about converting MD5 to the `password_hash()` method. [`See my comment`](http://stackoverflow.com/questions/26023415/verify-password-that-is-hashed-outside-our-control#comment40760706_26023415) under OP's question. I'm sure the OP is aware about MD5 vulnerabilities which is why is moving to `password_hash()`. – Funk Forty Niner Sep 24 '14 at 18:08
  • Parts of his question indicate he's posting an MD5 hash of user's credentials. This is very insecure, so he should be warned of that fact. I addressed his concern about sending credentials over plaintext, and I offered a better and best-practice solution. – Samuel Sep 24 '14 at 18:10
  • OP => *"We store hashes passwords that are generated using the password_hash() function in PHP >5.5"* - Re-read the question. I too was a bit confused at first. – Funk Forty Niner Sep 24 '14 at 18:11
  • It's not about what he's storing it's about what he's transmitting over the network. If you transmit an MD5 hash of a password you're susceptible to replay attacks to bypass the security and somebody could quickly use lookup tables to reverse the hash. – Samuel Sep 24 '14 at 18:14
  • Thanks Samuel. That's very helpful. I mentioned in a comment above that we're working with a vendor that wants to provide us with MD5 hashed passwords. I'm going to keep it simple and insist that they implement password_verify() and we'll provide them with the hashed value to perform comparison. – Steven Sokulski Sep 24 '14 at 18:49
0

You can't decrypt it. But if you can change the mechanism for generating the password, you can refer to this post

Community
  • 1
  • 1
Garima
  • 174
  • 6