-1

I have passwords for members on a site encrypted using MD5 and stored in the database. I want to implement a lost password functionality where the user will be emailed their credentials if they forget them. But how to output the unencrypted password or is it one way encryption and hence impossible?

Jose
  • 37
  • 1
  • 1
  • 3
  • 8
    @Slaks: No, he *should* use MD5. He *shouldn't* allow them to recover the plain text password. – Josh K Jun 27 '10 at 03:35
  • 1
    This isn't the first time I've heard this question -- why are people even hashing passwords if they don't understand it's irreversible? There would be no benefit if you could get the plaintext back – Michael Mrozek Jun 27 '10 at 03:42
  • 4
    @Josh K - @SLaks's point here is that MD5 is a weak algorithm, not that hashing itself is bad. – Matchu Jun 27 '10 at 03:48
  • 2
    @Josh: No. He should use bcrypt. – SLaks Jun 27 '10 at 04:03
  • @Slaks: blowfish is a block cipher, not a hash. There's a modified version that is a hash, but unclear how much collision analysis has been done (this isn't to say that MD5 is good - it isn't). All that being said, you should always hash passwords, not encrypt them. – Nick Bastin Jun 27 '10 at 04:12
  • 2
    (@SLack, correct me if I'm wrong, but) I think SLak's point was that if this is the result the OP wants to achieve, MD5 is a bad choice since it's a hash algorithm, and not an encryption algorithm. – Cam Jun 27 '10 at 04:18
  • @Slaks: What do you gain (other then loss of security) by storing passwords in a reversible manner? – Josh K Jun 27 '10 at 06:30
  • @Josh K: i.e. Many of strong, challenge-response based, authentication schemes require storing plaintext passwords. – el.pescado - нет войне Jun 27 '10 at 10:46
  • 1
    @el.pescado: Like what? I can't think of *any* reason to store a plaintext password. Store the hash and compare the hashes. – Josh K Jun 27 '10 at 16:28
  • Like, for example, CRAM-MD5 or authentication schemes used in Jabber. – el.pescado - нет войне Jun 27 '10 at 17:47
  • 3
    It's funny that people are afraid to store plaintext password in database, which is reasonably secure place, but sending password in plaintext over network (which is inherently insecure) is perfectly OK for them. Note that many sites still don't use SSL. – el.pescado - нет войне Jun 27 '10 at 17:51
  • possible duplicate of [Is it possible to decrypt md5 hashes?](http://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes) – Mechanical snail Jan 07 '13 at 23:28
  • He should not use MD5. Password hashes need to be expensive, and need a salt. So you should use a hash designed for hashing passwords, such as bcrypt, PBKDF2 or scrypt. You should not use a general purpose hash, such as MD5 or SHA-2. Encryption isn't the correct choice either. – CodesInChaos Mar 02 '13 at 10:31
  • @NickBastin bcrypt is a password hash, blowfish a cipher. While bcrypt reuses part of blowfish, it's still a different construction. Bcrypt is appropriate here, blowfish isn't. – CodesInChaos Mar 02 '13 at 10:32

7 Answers7

21

MD5 isn't encryption - it's a one-way hash. You can't reverse a one-way hash (theoretically you can find a plaintext that has an equivalent hash which is generally as good, but you can't in any reasonable amount of time), so you just need to set a new password and email it to them as a temporary, and/or just provide them a link to reset their password.

Nick Bastin
  • 30,415
  • 7
  • 59
  • 78
  • 3
    Actually what you describe isn't reversing the hash. The best you can do is find a plaintext that hashes to the same value. Asserting that what you find is the same as the original (and not simply a hash collision) assumes more than you actually know. – Slartibartfast Jun 27 '10 at 03:28
  • 1
    Sure, but it doesn't actually matter - as soon as you can find plaintext that hashes to the same value, you can defeat it. – Nick Bastin Jun 27 '10 at 04:08
  • Well if the intention of attempting to reverse the hash is to retrieve the original text and not a different one that works then it does matter. – Davy8 Jun 27 '10 at 06:23
  • 1
    +1. "MD5 isn't encryption - it's a one-way hash." That explains everything. – AKS Apr 27 '12 at 17:22
  • As Slartibartfast said, you can't, even theoretically. – David 天宇 Wong Jan 23 '13 at 12:47
  • @Slartibardfast and @David 天宇 Wong, if the candidates are `password` and an infinite number of quite long, random-looking passwords then, theoretically speaking, the probability of the first one is beyond reasonable doubt. Practically, statistical tests are used to determine automatically whether regular cipher cracking has succeeded or not so that the results can be checked by a human. – Olathe Feb 19 '13 at 23:10
  • In practice you can reverse it quite often, because typical passwords are easy to guess, and MD5 is fast (you can try several billion candidates per second on a GPU). That's why MD5 is not an appropriate password hash. – CodesInChaos Mar 02 '13 at 10:29
6

The point of using a one-way hash is to prevent exactly what you are trying to do. If you can read the plaintext password, then anyone who gets a hold of your database can too. Hint: what do you do with old backup media? Throw them in the trash? Criminals have been known to dumpster-dive for backups.

Instead of sending the user's password back to them, set up a system so they can reset their password. Read up on some articles about this before implementing it.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
3

[Entire answer replaced thanks to prompting from CodesInChaos; the previous answer is in history.]

You should not use MD5 to store your passwords. See the LinkedIn password breach if you need any more compelling reason to move away from MD5.

To prevent a password database breach from being the headline news that it was for LinkedIn, you need to use a significantly better hashing function. DES-based crypt(3) might have been good enough in the late 70s, but modern bruteforce searching tools can easily test millions of candidate passwords per second.

By contrast, that same tool is able to bruteforce just thousands of bcrypt hashes per second. (Sadly they do not publish scrypt timings.) Your MD5 is millions of times worse than either of these ready replacements.

For a larger look at password safety, I recommend reading the Password security: past, present, future slides.

sarnold
  • 102,305
  • 22
  • 181
  • 238
  • I've never heard of that weakness in MD5 before... And I thought SHA-512 just made it harder by making attacks just take forever, not actually more secure. Hmmm.. I learned something today. +1 – TheLQ Jun 28 '10 at 04:41
  • 1
    These collision attacks are irrelevant for password hashing. The relevant attack is guessing the correct password, which you limit by using a salt(prevents multi-target attacks) and a slow hash. Plain SHA-2 is almost as bad as plain MD5. – CodesInChaos Mar 02 '13 at 10:34
1

No

You can't recover the original password from the MD5 hash. It's a one way hash function.

Also

You shouldn't be providing them with the plain text password. What you should do instead is either allow them to change the password, or generate a random one for them to use and then force them to change it.

Josh K
  • 28,364
  • 20
  • 86
  • 132
  • Using rainbow tables, it's possible to recover original passwords to some degree. – Jon Bringhurst Mar 09 '11 at 23:12
  • @Jon: While you are technically "recovering" the plain text of the hash, he is asking if the hash is a type of reversible encryption which it is not. – Josh K Mar 10 '11 at 04:05
1

  1. You shouldn't use MD5. Use sha1 and use also a salt, there is a lot of information on the internet.

  2. The purpose of hashing the password is exactly that. It is used because the original password can't be gotten (theorically) so the password would be saved securily and it can be used to check if the password is correct easily.

  3. Allmost all websites chose to generate a new password and send it by email as the forget password mechanism.

NeDark
  • 1,212
  • 7
  • 23
  • 36
1

While it has been pointed ou that md5 is a hashing function, a function that takes a password and returns a string eg. f(password) == hash.

It IS possible to calculate a password that when put through this function that gives the same hash e.g f(password) == hash == f(password")

This is normally done by precaculating all of the possible passwords and storing the hashes of these in a rainbow table (See Wikipedia entry). It is possible to download such rainbow tables but they are HUGE!

You may not recover the same password that the user originally used due to collisions in the hashing function.

Jonathan Stanton
  • 2,531
  • 1
  • 28
  • 35
-1

md5 is a one-way encryption/hashing function. Once hashed, a string can only be compared to it's hashed version and not decrypted.

Babiker
  • 18,300
  • 28
  • 78
  • 125