Rick van den Bosch - Blog

I have a problem, the password MD5 in my server OpenLDAP is saved with {MD5}o5c3WBNN50D/iYO5RJxcvw==, but to compare with the password in my aplication ASP.net the string is different, something so : j+ZGDCZGqIQtr/6+ZDxa4w==, somebody would help me in this case ?

Hi, your code was very useful. however, i would like to enquire something. Is there any way the code your code for MD5 encrpytion be modified to produce an encrypted ouput of this format?

aTXuyYqHUUudx0Km2bsZKlH4/WM=

WEo/tELTiM0dVGGxgsF+5XmDr6s=

koOQgZFIppxqOVFsmWKiOSMJ3RY=

The password i have in my databse are of this format, and i am trying to find out how to insert new passwords as well as decrpyt passwords of this format.

I thank you in advance for your help. Thank you

HI. the source code u provided for MD5 encrption was very useful. however, i would like to enquire if it was possible to make modifications to your coding such that the ouput encrpyted passwords were of this format.

SZCi/864aZZbnCv6hqp+FV/cUPw=

This is so as i am required to encode passwords as well as decode passwords of this format. Thank you very much in advance.

Hi, your code showed how to encode a string into a hased string. How do i do the reverse? input a hashed string and the original password is outputted?

TO: mousemee

You don't too that. You need a hashed-string to string database. There's LOTS of combinations that generate the same hash.

Hi. is anybody familiar with using membership. crete user web service? I need a web service that adds in new users to database which consists of several tables. Thank you

Please tell me, how decode a password using MD5 in c#/

It is possible to get a collision for the computed hash with brute force possibly optimized to abandon invalid iteration branches. But that is a whole science and I am not a scientist in that field.

Remember MD5 is not considered safe for storing passwords, or security any more. Use some stronger hash instead (SHA). However it is still good enough to hash file to check if there is no mod.

Check out wikipedia: http://en.wikipedia.org/wiki/MD5

I seriously doubt you can easily decode passwords encoded using MD5 (it is possible, but it may take you 10 million years...)

Why not just encrypt the entered password and then compare it against the record in the database?

Or am I missing something?

It is now possible to "decode" passwords that use MD5 (It won't take you 10 million years either).

Computers are powerful enough now that you can use a rainbow table (a table for MD5 hashes for every combination of letters, numbers, and sometimes symbols, up to 14 characters) to check a hash against a rainbow table relatively easily. There's a program (the name escapes me at the moment) that will actually do this to crack windows passwords given their hash.

That is why it is important to salt your passwords before hashing. For example instead of this:

string hashedPass = MD5(password);

you would want to use this:

string hashedPass = MD5(aComplicatedSaltString + password);

Typically, a good salt would be the user's UserName and a programmer defined salt concatenated together.

That makes it harder to decode because then a hacker would have to add the salt when checking every password which would take the 10,000 years mentioned above (probably less than that, but still futile to attempt).

Hi guys,

I'm using MD5 to encypt my site passwords but I want to implement a "Forget Password" feature.

Is it possible to decrypt the array of bytes to what the user had entered initialy?

Thanks.

Hi

Thanks for this help.

If you're asking is it possible to simply reverse a hash the answer is NO.

A hash is a one-way function. It's simply a fixed-length "checksum" of sorts that is created based on the data presented. There is no reverse algorithm. That's the whole point.

The problem with trying to decode an MD5 hash is that it doesn't matter whether the message was three letters long or 500 pages long, the resulting hash it only 128 bits or 32 characters.

The most common way to crack MD5 hashed passwords is to use a program to systematically hash a dictionary or list of words (or random combinations of letters and numbers) until the resultant hash equals the hash you want to crack.

It's called a brute-force attack because you basically forcibly try every combination until you crack it.

If the password you are trying to crack is a simple or single word found in the dictionary, you can crack it in a matter of minutes or even seconds. If the password is long and complex, this method is typically fruitless.

That's why it is important to enforce complex password requirements of at least 8 characters, upper and lower case with at least one symbol (*&^, etc.

Why doesn't this work in dot.net within a apxs file?  Where do I put the with statements?  In the script tag or within the <%@ tag?

can u please provide the code for decoding also...

encoding i did but i want to retrieve the encoded string from the database n compare it with the password field when the user logs in again for this i need to decode the string so tht it comes to its original value n then i can compare it with the password tht user enters...

reply asap

thanks

For everyone asking for how to decode hashes, YOU CAN'T.  That is the POINT.  You can hash a string and compare it to your already computed hash, that is IT.  Read a wikipedia on computer hashes for gods sake.

Also, to the original poster, Rick van den Bosch... shame on you for using ASCIIEncoding.Default.GetBytes().  You do realize that would seriously restrict the usefulness of your method to working only in languages that ASCII has the character sets for, right?

I suggest you read this article entitled:

The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)

www.joelonsoftware.com/.../Unicode.html

mani, you do not "decode" a hashed password. It's impossible.  Hashing is not encryption.   Once hashed, you cannot restore it to the original password.

To test to see if the user entered the right password, you hash the password the user enters on the login screen, and compare the result to the password-hash stored in the database.

The benefit here is that even someone who can see into the database cannot know what the users password is.

The downside is that if a user looses their password, you cannot look it up to tell them.  You need to have the system generate a temp password and mail it to them.

Thank you man. It work exactly as I needed.

What is the length of the generated string ?

Is it fixed?

Somebody should know the length (at least the max) to

store this to database.

Thank u that was helpfull.

i created a c# web form contains 2labels,2textboxes and button(ok).when click on ok in should verify the userid and  password fron sqlserver if the userid is correct the permit to go for next page.

for this i need code for that