| MD5 and passwords
|Description: All about the MD5 algorithm and how phpBB uses it to encrypt users' passwords.
|Author: Black Fluffy Lion
|Date: Tue Jan 14, 2003 6:00 pm
|Keywords: MD5, hash, message, digest, encrypt, encode, passwords
|View as HTML or printer friendly version
- Basic information
- What is MD5?
- How can I decode an MD5 hash?
- What is MD5 used for?
- phpBB and MD5
- How does phpBB use MD5?
- How do I change a user's password...
- ...using phpBB?
- ...using phpMyAdmin?
- ...using command line?
- Can I use phpBB's user database even though the passwords are MD5'ed?
- How does the login code work with MD5 hashes?
- Other related stuff
- How can I calculate an MD5 hash?
- Related links
What is MD5?
MD stands for message digest. MD5 is an algorithm which takes an input of any length, and outputs a message digest of a fixed length (128-bit, 32 characters), made up from hexadecimal values. OK, now in English: MD5 is basically a way of taking a bunch of characters (be they digits, alphabetic or other), called the input string, and changing them to a 32 character long bunch of characters, called the message digest or the hash of the inputted string, made up from only hexadecimal characters (the digits 0-9 and the letters a-f). This means that whatever the length of the inputted string, MD5 will always create something which is 32 characters long, with only hexadecimal characters. The message digest will have no spaces, or quotation marks or anything other than 0-9's and a-f's in the outputted message digest.
MD5 hashes also have the advantage of generating completely different looking hashes from seemingly similar inputs. For example:
- The MD5 hash of jim is 5e027396789a18c37aeda616e3d7991b
- The MD5 hash of Jim is d54b3c8fcd5ba07e47b400e69a287966
- The MD5 hash of Jimmy is 495b3121d23f5988b133882b36aa7214
As you can see, the three similar looking inputs deliver completely different looking MD5 hashes. These examples also demonstrate how j and J are interpreted as two different characters. So, generating MD5 hashes is case sensitive. Another thing to note here is that although third example has only added 2 characters (my) to the end of the second one, the whole hash changes. So you can't get the MD5 hash of Jimmy from the MD5 hash of Jim just by tinkering with the last few characters - changes in the inputted string are evenly spread across the whole message digest. Also look at how the three input strings each generate a 32 character long message digest, even though the last example is two characters longer than the one before it.
Despite the random appearance of the MD5 hashes from the inputted sting, there is a set pattern of hashing (an algorithm) which MD5 uses to turn the inputted string to a message digest. If you're really interested, then you can read more about the algorithm. Because MD5 uses the same algorithm each time, the MD5 hash of jim will always be 5e027396789a18c37aeda616e3d7991b.
This fact, added to other strengths which include the speed at which message digests can be generated, makes MD5 an extremely useful and powerful tool. But perhaps the most important is the fact that MD5 creates a one way hash...
Related link: Internet RFC/STD/FYI/BCP Archives: RFC1321 - all about the MD5 algorithm.
How do I decode an MD5 hash?
Simple answer - you can't. A one way hash means that the message digest which is outputted by the MD5 algorithm is irreversible. There's no known way of getting from the MD5 hash to the originally inputted string. Remember that seemingly similar input strings generate completely different looking MD5 hashes. The only known way of getting the original string is by brute force cracking. This means going through many combinations of characters until the message digest outputted by one of them equals the message digest that you are trying to match. However, with our computer power at the moment, doing something like this on a long enough string would take years, and by that time you (and possibly your computer) would have died of boredom. Another thing to note here is that MD5 hashes are designed to be unique. The chances that two different inputs would have the same message digest is very, very small (1/(16^32) or about 1/(3.4E+38)), but possible.
What is MD5 used for?
The properties of MD5 (one-way hashing, fixed length output, speed of generation, etc.) make it very useful for a number of tasks. It is often used to generate a checksum of whole files (this is especially apparent in the open source world). The developer of the application often runs the downloadable tarball through MD5 and then publishes the message digest. When the user downloads the application, they can also generate the MD5 hash of the tarball they downloaded. If the developer's MD5 matches the one the user has generated, then the two applications are the same. If they don't match, then the two applications are different, which means the downloaded version could contain a virus or the like.
The other most common use for MD5 is in hashing passwords to be entered into a database. This is where phpBB come into the scene...
phpBB and MD5
How does phpBB use MD5?
phpBB uses the MD5 algorithm to hash users' passwords. This is done for security - if the passwords were stored in plain text form then anyone with access to the database (be it a hacker or an admin) would be able to get the users' passwords. Obviously, your users wouldn't be too happy with that. With the passwords being stored as MD5 hashes, phpBB is much securer from a user's point of view. In addition to the passwords, session ids with phpBB are also MD5 hashes.
How do I change a user's password...
If you have simply forgotten your password, and cannot access your account then go to the login screen by clicking Login at the top of a page (you must be logged out for this link to display) and then click 'I forgot my password' under the input boxes to have a new password e-mailed off to you. If however that doesn't work or you need to edit another user's password or you have no access to phpBB or you have nothing better to do with your time than read the rest of this guide then carry on...
To change your own password, edit your profile by clicking on the Profile link at the top of a page outside the administration panel. Then simply enter your current password in the Current password box and your new password in the New password and Confirm password boxes. Scroll down to the bottom of the page and click Submit to save the changes.
You can change another user's password from the administration panel. In the administration panel, click on Management at the bottom of the navbar in the left frame, under the User Admin section. Then enter the name of the user whose password you want to change and click 'Look up user'. Near the top you should see two fields entitled 'New password' and 'Confirm password'. Enter the new password in both of these boxes, and then scroll down to the bottom of the page and click Submit. Ta-da!
To change a password without using phpBB, you will need to have a database administration tool such as phpMyAdmin or have command line access available to you.
Warning: Before doing any manual database work, please backup your database (especially the users table)! I don't expect anything to go wrong, but better safe than sorry, eh??
Anyway, to change a password using phpMyAdmin, login and click your username in the top of the left hand frame or select your database there. In the main frame, make sure you're in the Structure tab. Then scroll down to phpbb_users (or whatever table prefix you specified during installation) and click Browse. A list of all your users should appear. Find the account whose password you wish to change (you may need to view another page of results if the account does not appear on the first page), and click Edit by the correct row. Then look for a field on the left handside called 'user_password' (it should be about the 4th row down). The row should look something like this:
|phpMyAdmin wrote: |
|user_password | varchar(32) | empty select menu | MD5 hash |
Click on the empty select menu and from the list select MD5 (not password). In the box to the right of that, which contains the hash, enter the new password in plain text form, not as an MD5 hash. The row should now look something like this:
|phpMyAdmin wrote: |
|user_password | varchar(32) | MD5 | new password |
When you're done on that, scroll down the page to the bottom and click Go. The user should now be able to login with their new password.
...using command line?
Warning: I said this above but I'm going to say it again: before doing any manual database work, please backup your database (especially the users table)! I don't expect anything to go wrong, but better safe than sorry, eh??
To change a user's password by running a command, you need to make use of a clever function called MD5() for MySQL (which, as the name suggests, calculates the MD5 hash of an entered string). Here's the query you'll need to use:
|MySQL query wrote: |
|UPDATE phpbb_users SET user_password = MD5('new password') WHERE username = 'username'; |
Make sure you change new password and username to what you want to change the user's password to and the user's username respectively. You may also need to change the phpbb_ part of phpbb_users if you specified a different table prefix during installation.
Related link: MySQL: MD5() - used to calculate the MD5 hash of a string (practically the same as PHP's md5()).
Can I use phpBB's user database even though the passwords are MD5'ed?
Yes, you can. Because the passwords are in the database as MD5 hashes, it means that to do things with them (e.g. compare an entered password with a password in the database for logging in), you need to use the entered password's MD5 hash. The function for this is PHP's md5(), which calculates the MD5 hash of the string entered (just like MySQL's MD5() function).
Related link: PHP: md5() - function to return the MD5 hash of an entered string.
How does the login code work with MD5 hashes?
As mentioned above, for the entered password to match the hash in the database, first it must have its MD5 hash calculated. Open up login.php to see how this is done.
|login.php wrote: |
|if( md5($password) == $row['user_password'] && $row['user_active'] ) |
The bit of code which calculates the entered password is highlighted. So, what's happening here?? Well, for a user to login successfully, they must fulfill both of the two conditions which this code checks for:
- That the MD5 hash of the password they entered in the login form is the same as the password that is stored in the database (which is also an MD5 hash) - md5($password) == $row['user_password']
- That they have been activated - $row['user_active']
That's exactly what this code checks for. It will only log you in if the md5 hash of the password you entered matches the password selected from the database and (which is what the && does) you are active.
Other related stuff
How can I calculate an MD5 hash?
To calculate the MD5 hash of an entered string, use this nifty MD5 hash calculator. Simply enter the string in the text input box and click Submit. The MD5 hash should magically appear below. If you're wondering why it displays d41d8cd98f00b204e9800998ecf8427e even though you haven't entered anything, don't worry, it isn't broken (I hope), what appears is the MD5 hash of an empty string.
Here are some links which should help if you're interested in learning more about the MD5 algorithm or about creating MD5 hashes:
Last update 29 May 2003