-3

I am sharing my 2 file's code.for insert username and passwords and to retrieve data. My scenario is something different. if username : abc and password: 123456789

on login screen user have to enter only 3 digits from his password.But that will be random numbers from his password. if now system will ask me for 1st,3rd and 9th digit from password.after reload page it will change randomly. it will display 2nd,5th and 4th etc etc.

I am done this task earlier with my code. but now i am thinking to insert password with md5 encryption method.

I am stuck here if i used md5 for encryption then how to retrive password.

insert.php :

<!DOCTYPE html>
<html>
<head>
    <title></title>
</head>
<body>
    <form action="" method="post">
        <label>username</label>
        <input type="text" name="username">
        <label>pin</label>
        <input type="password" name="pin">
        <label>password</label>
        <input type="password" name="password">
        <button name="submit">Submit</button>
    </form>
</body>
</html>
<?php
include 'conn.php';
if (isset($_POST['submit'])) 
{
    $name = $_POST['username']; 
    $pass = md5($_POST['password']);

    $sql = mysqli_query($conn,'INSERT INTO `emp`(`name`, `pass`) VALUES ("'.$name.'","'.$pass.'")');
    if ($sql>0) 
    {
        header('Location: index.php');  
    }
}
?>

index.php:

<!DOCTYPE html>
<html>
<head>
    <title></title>
</head>
<body>
<?php
include 'conn.php';
if (isset($_POST['submit'])) {
    $name = $_POST['username'];    
    $pass1 = $_POST['pass1'];
    $pass2 = $_POST['pass2'];
    $pass3 = $_POST['pass3'];

    $char1 = $_POST['char1'];
    $char2 = $_POST['char2'];
    $char3 = $_POST['char3'];

    $sql = 'SELECT name,pass,pin from `emp` '
            . 'where `name` = "'.$name.'" '
            . 'AND SUBSTR(pass, '.($char1).', 1) = \''.$pass1.'\' '
            . 'AND SUBSTR(pass, '.($char2).', 1) = \''.$pass2.'\' ' 
            . 'AND SUBSTR(pass, '.($char3).', 1) = \''.$pass3.'\' ';        


    $sql = mysqli_query($conn,$sql);
    $data = mysqli_fetch_assoc($sql);
    if ($data) 
    {

        echo 'success';
    }
    else
    {
        echo 'Fail';
    }

}

// generate unique, not equal numbers
$char_pos = range(1, 9);
shuffle($char_pos);
$char_pos = array_slice($char_pos, 0, 3);
sort($char_pos);
?>
<form action="" method="post">
    <input type="hidden" name="char1" value="<?php echo $char_pos[0]; ?>">
    <input type="hidden" name="char2" value="<?php echo $char_pos[1]; ?>">
    <input type="hidden" name="char3" value="<?php echo $char_pos[2]; ?>">    
    Username:
     <input type="text" name="username" value="">    
    Password:
     <input type="password" class="inputs" maxlength="1" name="pass1" placeholder='<?php echo $char_pos[0]; ?>st' value="">
     <input type="password" class="inputs" maxlength="1" name="pass2" placeholder='<?php echo $char_pos[1]; ?>th' value="">
     <input type="password" class="inputs" maxlength="1" name="pass3" placeholder='<?php echo $char_pos[2]; ?>th' value="">
     <button name="submit">Submit</button>
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script>
    $(".inputs").keyup(function () {
        if (this.value.length == this.maxLength) {
          $(this).next('.inputs').focus();
        }
    });
</script>
</body>
</html>
Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
amit sutar
  • 115
  • 1
  • 3
  • 15

2 Answers2

0

As already pointed out in comments, md5 is a one-way hash function, not an encryption. This means that it is impossible to perform a partial password verification against the hash because the original password cannot be retrieved.

The Smart Architects blog used to have a great article on partial password verification, but now it is only accessible via web archive.

To sum up the possibilities (omitting the completely unsecure storing password in plain text solution):

  1. Store the passwords in an encrypted format, meaning you can retrieve the password in plain text if needed for comparison. Pro: easy to implement. Con: if someone obtains the key, then all passwords can be reversed. If you want something really secure, then you probably need an HSM (Hardware Security Module) for this. Until you get your hands on an HSM, you can try openssl_encrypt() function.

  2. Hash all combination of letters the interface may ask in a hashed format. Pro: probably the most secure storage format (if the right hashing algorithm is used with salts). Con: just think about the number of records you need to create for a long password.

  3. Use Shamir secret sharing scheme. Pro: compromise in storage space vs security. Con: probably the most difficult solution to implement from a coding perspective.

Shadow
  • 33,525
  • 10
  • 51
  • 64
0

MD5() function is not a encrypt decrypt function. it produce data based on input. That data cannot be reverted. if you need to check MD5 output with ordinary text, you have to MD5 ordinary text then compare both MD5 output.

There are several Online MD5 Decrypter present. It is based on Past input history. www.md5online.org

md5decrypt.net/en/

You can check with this ..

Thank you...

Kavin D
  • 474
  • 1
  • 4
  • 12
  • 2
    Please not that these are not decrypters; they simply lookup a hash against a set of know values in a database.... hashing itself cannot be decrypted, despite what the names of these sites suggest – Mark Baker Oct 17 '17 at 08:57