how unsafe is to user the md5 password as token in the recover password email?

Question

i was thinking sending an email with the md5 password as token and check if the email+password are correct before showing the recover password form

1) user enters mail

2) if mail exists, send an email to with it with password as token

3) when user click to link: check if mail and md5 password are correct, if so:

4) show password generator form

-EDIT-

So how could be safer without adding any column to the user table?

When hacker knows md5 sum - he can use bruteforce method to acquire password. — Kamil, Feb 26 '12 at 16:52
@Kamil: not when the hash is salted, or a library such as `bcrypt` is used. — knittl, Feb 26 '12 at 17:45
Well, the point that salting can make this massively more secure still stands — Pekka, Feb 26 '12 at 21:08

score 5 · Accepted Answer · edited May 23 '17 at 10:28

5

It's at least theoretically unsafe. See e.g. md5 decoding. How they do it? and MD5 security is fine?

But why do that in the first place? The following would be much more secure, and only marginally more difficult to implement:

Generate a random key, e.g. 123456789abc
Store it in the user record
Add the key to the URL lookup.php?key=123456789abc
When the user clicks the URL, look up the key to find the correct E-Mail address.
Once the operation has completed, delete the key.

Give the key a lifetime of, say, 24 hours so illegitimate requests fade away.

edited May 23 '17 at 10:28

Community

1
1

answered Feb 26 '12 at 16:47

Pekka

442,112
142
972
1,088

@Toni why can't you add a column to the table? – Pekka Feb 26 '12 at 17:07

score 1 · Answer 2 · answered Feb 26 '12 at 16:48

1

I am rather sure, this is not a good idea: If this mail falls into wrong hands, it gives an attacker an offline vector against an MD5 - which means it gives him the password, if he is faster than the real user.

Use salting and a more calculation intensive process.

answered Feb 26 '12 at 16:48

Eugen Rieck

64,175
10
70
92

1

This would also apply for a random token. The only difference is that the random token has no other meaning. – Gumbo Feb 26 '12 at 17:02
1

IAUC the OQ was, if MD5-hashed password is safe. My answer is **NO**, and I never mentioned a random token. Using salt and a better (including more expensive) hashing funcion should reduce the risk from `very real` to `hypothetic` – Eugen Rieck Feb 26 '12 at 17:08
After the OP's edit: Using a **secure** salted password hash will work without touching the user table. This doesn't mean, that simply creating an extra table and using something else than the password wouldn't be more secure. – Eugen Rieck Feb 26 '12 at 17:10

Michele Spagnuolo · Answer 3 · 2012-02-26T17:10:11.987

1

If I understand correctly, and the MD5 hash of the password is only sent to that email address, then I think it's not that dangerous... It could be only if the email account has been compromised.

It's not the best practice, but I think the "email compromised" scenario is not of interest, since almost every method is "vulnerable" to that.

edited Feb 26 '12 at 17:10

answered Feb 26 '12 at 16:48

Michele Spagnuolo

942
5
14

1

I don't understand the downvote. The OP is not asking for alternative (and better) methods, (s)he's asking whether it's safe or not. It's not the best practice, but I think the "email compromised" scenario is not of interest, since almost every method is "vulnerable" to that. – Michele Spagnuolo Feb 26 '12 at 16:56
I disagree, e-mail addresses are (mostly) "public" so get the MD5 of the password simply knowing it it's not secure. – Aldo 'xoen' Giambelluca Feb 26 '12 at 17:05
1

But the MD5 hash is only sent **TO** that email address. You have to have access to that email account to read it. – Michele Spagnuolo Feb 26 '12 at 17:08
Not my downvote, but what you say isn't entirely true Michele: The URL will be visible 1. in the user's E-Mail client 2. in his browser history, with the hash present in the URL 3. in any proxy logs recording the traffic 4. in the server logs - all not *acutely* dangerous points of entry, but still – Pekka Feb 26 '12 at 20:56
You're right. And in every mail server it goes through... I'm into InfoSec and I'd never use that approach, but I've seen worse things in real systems (even e-gov sites), such as the email address in base64 as recovery token. I have specified it's not the best practice, but it's not a critical issue, if I had to assess risk. – Michele Spagnuolo Feb 27 '12 at 07:40

score 0 · Answer 4 · answered Feb 26 '12 at 16:47

0

you can use a random string instead of the md5'ed password. You only need to verify, that the person, who asks you to reset the password, also is the owner of the email address.

When you send out something that is related to the password (like a hash), than you give out a hint, that you don't need to give out. There are tables out there to do the reverse of a md5'hash and that can be used to guess the password.

Think of the random string as a session id.

answered Feb 26 '12 at 16:47

Jörg Beyer

3,631
21
35

2

This does not answer his question. – Gumbo Feb 26 '12 at 16:47
@Lucy: what is the safest way? To use the md5? why is it safer to use a md5 than a random string? – Jörg Beyer Feb 26 '12 at 16:51

Aldo 'xoen' Giambelluca · Answer 5 · 2012-02-26T17:08:09.897

0

Maybe it would be better at least use the MD5 of something else since if the password is weak an attacker could use a dictionary to discover the password.

As others suggest it would be better to avoid this, and ideally generate a random token, store it somewhere, and send/verify it.

edited Feb 26 '12 at 17:08

answered Feb 26 '12 at 16:50

Aldo 'xoen' Giambelluca

12,075
7
33
39

how unsafe is to user the md5 password as token in the recover password email?

5 Answers5

Linked