“It bugs me more than ever when I see a registration email coming from a website I just registered to, saying “Hello, your password is xxxxxxx”. This is just wrong. I do not want my password written ANYWHERE in the world. That tells me that the website is not secure, and the web developers obviously did not do their due diligence.”

First of all, if you do not know what an MD5 Hash concept is, read this description I found on the Wikipedia page for MD5 :

MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message.

The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. Figure 1 illustrates one operation within a round. There are four possible functions F; a different one is used in each round:

So, MD5 basically is a hashing algorithm that changes a regular string into a long garble of strings. For example, here’s what MD5 will do for you :

The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash:

 MD5("The quick brown fox jumps over the lazy dog")
  = 9e107d9d372bb6826bd81d3542a419d6

Even a small change in the message will (with overwhelming probability) result in a completely different hash, e.g. changing d to c:

 MD5("The quick brown fox jumps over the lazy cog”)
  = 1055d3e698d289f2af8663725127bd4b

The hash of the zero-length string is:

 MD5("")
  = d41d8cd98f00b204e9800998ecf8427e

As you can see, MD5 is quite a complicated algorithm that will switch any string to a 32 character hexadecimal string that you cannot recognize. This is commonly used to verifiy the validity of downloaded files, and ALSO used for website passwords!

When I create a website where peopel can log in (I’m sure Wordpress uses the similar method), the actual password is NOT stored on ther server side.

if($_POST[’pwd1′]==$_POST[’pwd2′])
{
// If password patches, process teh entry
$insert = “INSERT INTO username (username, pwd) VALUES (’$_POST[’username’]',’”.md5($_POST[’pwd’]).”‘)”;
// set the SQL so that the md5′d version of the pwd is inserted
mysql_query($insert);
}
else
{
// process output saying the password confirmation did nto match
echo “Your password did not match. Please try again.”;
}

That’s how it enteres the database. The actual password, that way, is not even visible to the administrator. This is the only way I feel fully secure.

When the login is being verified, the similar process goes through. They don’t compare the password - the compare the MD5 Sum of the password entered versus the MD5 Sum of the existing hash.

It bugs me more than ever when I see a registration email coming from a website I just registered to, saying “Hello, your password is xxxxxxx”. This is just wrong. I do not want my password written ANYWHERE in the world. That tells me that the website is not secure, and the web developers obviously did not do their due diligence. What the hell kind of bullsh*t is that? I deleted that email right away and emptied it. My password is often used on different applications with slight twists at the end of it - I can’t have different passwords for all the websites I need to log onto. And if one password is compromised, the next could be my web hosting, my blog, etc.

MD5 hashing of passwords is a common practice that just about any website should employ. Now you ask - what if I lose my password? The passwords should not be given back - it should be reset by the server, and sent back to you. Period.

If you are a rookie web developer, remember this lesson - the website owner should NOT be able to see the password registered by their users, and the password should not be sent back by email in any case. Make it impossible to do so by using the md5 function! And if you are a business owner and you hire web designers to do that stuff - make sure they build your sites that way. If they don’t, fire them, and call me.

This entry was posted on Wednesday, March 21st, 2007 at 1:47 pm and is filed under Web Development, Stupid People, Online Security, Rants, Coding. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.