MyBB's Password Encryption Method? Ryan Gordon Former Staff Posts: 16,267 Threads: 579 Joined: Oct 2005 Reputation: 40 2010-08-28, 09:28 AM (This post was last modified: 2010-08-28, 09:31 AM by Ryan Gordon.) Just clarifying a couple of things here: MD5 and SHA1 both use the same principles in their design. The only reason SHA1 is better to use is because it has less of a chance of collisions and uses a different ciphering algorithm. These encryption algorithms are considered "one way" encryption algorithms. That means once encrypted you can't reverse the encryption to bring it back to it's original cleartext. How is this done? This is based on a mathematical principle of "loss of information". Since there is an infinite amount of possibilities you can use for the input and the output is always a finite amount of possibilities of 32 characters for md5, and 40 characters for sha1 you have to either expand or compress this output to exactly 32 or 40 characters. That's exactly what these algorithms do. f(x) = md5(x); md5(x) return 32 scrambled characters based on x; Unfortunately because there is unlimited input possibilities and only limited output possibilities you create the effect known as collisions. This means that two different inputs can create the same output. Fortunately for us, 32^36 and 40^36 possibilities makes it statistically-improbable for this to ever happen. You'd need dedicated super computers to come up with collisions. In addition, if you theoretically plotted these encryption algorithms on a xy graph, because of the ability to have collisions this tells us that for any given y resultant, there are more then one x input. Just doing a simple horizontal line test and it would fail. This property of these encryption algorithms make it impossible to decrypt. You could always brute-force every single combination (x) until there is a matching (y) resultant to the one you were looking for. Of course, this still doesn't mean that it's the right cleartext input (x) since these algorithms failed the horizontal line test. And even then, to brute-force you would need a local copy of the database storing the hash information. Otherwise, the latency of the internet would cripple the brute-force attack. It would take millions of years to complete a full brute-force attack. Make sense? lol Ryan « Next Oldest | Next Newest »