Page 1 of 2
MD5 and password store
Posted: Sun Mar 17, 2013 10:30 am
by karu
Hi,
How to store a password in db, in registry, in ini encrypted width md5 width pb 4.60, can anyone give example?
Thanks
Karu
Re: MD5 and password store
Posted: Sun Mar 17, 2013 11:52 am
by infratec
Hi karu,
it is not posible to store a password with md5.
You can only store a fingerprint, which means you have always to compare 2 fingerprints and not the password directly.
You should be not able to reconstruct the original password out of the MD5Fingerprint.
Code: Select all
#PrefFile = "c:\tmp\test.pref"
Password$ = "TopSecret"
MD5Password$ = MD5Fingerprint(@Password$, Len(Password$))
OpenPreferences(#PrefFile)
WritePreferenceString("Password", MD5Password$)
ClosePreferences()
Password$ = "Test"
;Password$ = "TopSecret"
MD5Password$ = MD5Fingerprint(@Password$, Len(Password$))
OpenPreferences(#PrefFile)
MD5Pref$ = ReadPreferenceString("Password", "")
If MD5Pref$= MD5Password$
Debug "Password Ok"
Else
Debug "Password failed"
EndIf
ClosePreferences()
First it fails.
If you change the comments it is Ok.
Bernd
Re: MD5 and password store
Posted: Sun Mar 17, 2013 12:39 pm
by karu
Thanks, this your solution is same what i used before, but with this solution is problem. I have big application, where in different computers, users save other users passwords and md5 fingerprint in different computers is NOT always same, why i don't know, that's why I asked. And if fingerprint is not always the same, how i compare it?
Istead md5, today i use this solution, but i want still use md5:
Code: Select all
*Buffer = AllocateMemory(500)
If *Buffer
PokeS(*Buffer, "password")
pasword = SHA1Fingerprint(*Buffer, MemorySize(*Buffer))
FreeMemory(*Buffer)
EndIf
Re: MD5 and password store
Posted: Sun Mar 17, 2013 6:14 pm
by skywalk
Why do you want to use MD5? SHA1 is more secure and preferred by many. Though, I read many are using blowfish (bcrypt) since it is better at preventing hacks due to much slower algorithm.
Depending on your goals:
Store Passwords as a HASH(SHA1 or blowfish). Unable to recover original password.
Store Passwords encrypted with AES. Original password can be recovered if keys are shared.
Re: BCrypt
Posted: Fri Sep 23, 2016 10:05 pm
by bhatkins2000
Has anyone had success using the Bcrypt.dll to encrypt and validate passwords?
Looking for some example code if anyone has.
Thanks for any help.
Re: MD5 and password store
Posted: Fri Sep 23, 2016 10:09 pm
by Keya
skywalk wrote:Why do you want to use MD5? SHA1 is more secure and preferred by many.
Why do you want to use SHA1? SHA2 is more... wait. SHA3 was accepted 2015, and Fred's already added PB support
Re: MD5 and password store
Posted: Sun Sep 25, 2016 9:28 am
by walbus
@Keya - Think simple
MD5 is ok for this
Code: Select all
EnableExplicit
UseMD5Fingerprint()
#salt$="86349c23q03457t5&(%)=/?=/()/%$%§?(/§"
Define password$="Your Password"
Define resulted_string$=password$+#salt$
Define hash$=Fingerprint(@resulted_string$, StringByteLength(resulted_string$), #PB_Cipher_MD5)
Debug hash$
@Infratec - This is not OK, this works wrong with unicode
MD5Password$ = MD5Fingerprint(@Password$, Len(Password$))
Re: MD5 and password store
Posted: Sun Sep 25, 2016 10:08 am
by Keya
walbus wrote:@Keya - Think simple
MD5 is ok for this
Ok i'll think simple: simply change "UseMD5Fingerprint()" to "UseSHA3Fingerprint()", and simply change "#PB_Cipher_MD5" to "#PB_Cipher_SHA3" ...
Re: MD5 and password store
Posted: Sun Sep 25, 2016 10:15 am
by walbus
@Keya - Think simple
The guy use a older PB version without SHA3
And it looks, he will not use a newer...
The change for found here a collision with MD5, you can forget
Also you can not use tables for bruting the password
Try it, and post the collision, i think it´s not so simple and how you want this do, you have the salt not ?
Re: MD5 and password store
Posted: Sun Sep 25, 2016 10:36 am
by Keya
I dont know enough about them to say whats involved in "breaking MD5" as im not even a mathematician let alone a crypto person so i won't debate how easy or hard it is, but all i know is that using it is like saying F U to your customers security/privacy, so in that sense to me it seems it's truly
broken
btw if he has a PB older than SHA3 itll probably still have SHA2
Re: MD5 and password store
Posted: Sun Sep 25, 2016 10:44 am
by walbus
Looking for what you want MD5 !
I think not the guy want encrypt 1e6 or more passwords
Also, a password is only a little string
To time still MD5 is the mostly used hash for passwords around the world, i think...
Re: MD5 and password store
Posted: Sun Sep 25, 2016 10:46 am
by Keya
yeah but come on, if it's still the most common (i dont know) that's not because it's recommended as best ...
people just hate updating their systems lol, "if its not broken dont fix it"... (but it kinda
is!)
Re: MD5 and password store
Posted: Sun Sep 25, 2016 10:51 am
by walbus
@Keya
Older PB has not SHA2, only MD5 and SHA1
And the reason he will not use a newer can are different
All hashes have collisions, MD5 here is not a problem
Looking, the complexity from MD5 is 16Bytes, this is more as a lot for a little password with salt, also without salt
Think simple, you must not have a tank for protect you from rain
Re: MD5 and password store
Posted: Sat Oct 01, 2016 9:15 am
by Thorium
MD5 is broken. Everyone should only use SHA-3.
Just read up on articals about password hashing. The only reason MD5 is still used a lot is because people are to lazy to update there code.
To resolve a plain MD5 you can just put it in google. Many common passwords can just be retrieved like that.
Watch this for some basic info about password hashing:
https://www.youtube.com/watch?v=b4b8ktEV4Bg
Cracking MD5's:
https://www.youtube.com/watch?v=7U-RbOKanYs
Re: MD5 and password store
Posted: Sat Oct 01, 2016 11:29 am
by Dude
Thorium wrote:MD5 is broken
For passwords, yes. For generic data integrity checking, not really.
Anyway, MD5 was once considered secure and state-of-the-art... just like people are saying now for SHA3. But in a year or two, SHA3 will also be broken and the Next Big Thing will be recommended.
It's a never-ending cycle.