0

As the title, please kindly show me how to decode a password string encoded by this:

$password = md5( addslashes( $_POST['password'] ) );

For the example: f21601fea7f496cfbc23f7310e13f941

Thank you!

marekful
  • 14,986
  • 6
  • 37
  • 59
Christopher McKenny
  • 3
  • 3
  • It can be reversed, but not so easly... – Jazi Apr 21 '15 at 19:16
  • @KrzysztofTrzos More than one password can generate the same MD5 hash, so it *technically* can't be reversed - there are an infinite number of strings that'll match any one MD5 hash. – ceejayoz Apr 21 '15 at 19:17
  • 1
    *"How to decode the password:"* - **don't** - call it a blessing in disguise that's it's not working. Here, ircmaxell posted an answer earlier using a much safer hashing method http://stackoverflow.com/a/29778421/ – Funk Forty Niner Apr 21 '15 at 19:21

1 Answers1

2

MD5 is a one-way hashing algorithm. The nature of such an algorithm is it cannot be reversed. It it could, it'd be an encryption algorithm, not hashing.

Before you go switch to an encryption algorithm, don't. Passwords should always be stored as hashes if possible (there are unusual cases, like where you're storing a password for a third-party system). This protects your users if your code/database get compromised.

For simple strings, it may be possible to lookup an MD5 hash in a "rainbow table". As an example, 098f6bcd4621d373cade4e832627b4f6 can be put into a tool like http://md5cracker.org/ to find out the password is probably test (but it could be another string that results in the same hash, known as a collision).

Note: MD5 is also insecure because of the speed for which you can generate a rainbow table. You should use PHP's built in password_hash / password_verify functions when hashing passwords, as they take advantage of the secure bcrypt hashing algorithm.

Community
  • 1
  • 1
ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • Actually I also add a field (in sign up form) that would store user's password in plain text, but when i search that text in DB, it didnt work. `$password = md5( addslashes( $_POST['password'] ) ); $pwd = addslashes( $_POST['pwd'] ) ;` – Christopher McKenny Apr 21 '15 at 19:49
  • @ChristopherMcKenny Don't do that. Also, stop with the `addslashes` stuff. It's unnecessary in your code (MD5 hashes will never have a `"` character) and it's not sufficient to protect against SQL injection either. – ceejayoz Apr 21 '15 at 19:49
  • You also need to [salt](https://crackstation.net/hashing-security.htm#salt) your passwords before hashing. `password_hash` and `password_verify` take care of all of this for you. – Neil Smithline Apr 21 '15 at 22:50