Essential PHP Security and MD5 Reversing

I’ve just finished reading Chris Shiflett’s Essential PHP Security, and I have to say that it’s a great book. It’s very small – weighing in at only 109 pages (including the appendices and index) – but I think Chris feels this is its main draw. Indeed, it’s a quick and easy read, but that doesn’t mean it’s lacking in thoughtful and careful attention to detail – on the contrary. Rather, Chris has created a very concise and easy-to-read guide to Web application security. The language is clear, as are the examples.

For anyone who’s ever attended one of Chris’s talks on PHP security, this is the ultimate companion. For those who haven’t had the privilege of sitting in on his talks, this book is everything that you’re missing.

It’s available on Amazon.

Now, for some fun, I used the Rednoize MD5 database mentioned in Chapter 3 of Essential PHP Security to create a little AJAX application to create MD5 hashes of strings, as well as check for the existence of a hash in the MD5 database. According to the Rednoize blog, there are over 2 million MD5 hashes stored with their counterparts in the database. In addition, I’m using Paul Johnston’s JavaScript MD5 library to handle the string-to-MD5 conversion on the client side (rather than sending an extra request to the server).

Now, on the Rednoize MD5 site, when you enter a string (as opposed to an MD5 hash) that does not exist in the database, it automatically creates a hash of that string and adds it to the database. Thus, you should beware if you enter your own passwords, for then, your passwords and their corresponding MD5 hashes will be in the database. My implementation does not do this, however. If the string entered is not exactly 32 alpha-numeric characters, then it will not try to retrieve a value for it from the MD5 database.

If you want, give my little MD5 reversal application a try.

UPDATE: The MD5 database does not appear to store string values longer than 32 characters; it appears to truncate strings at 32 characters and save the MD5 hash of the truncated string. So, be sure all your passwords are > 32 characters. ;-)

UPDATE (6 Nov ‘05): I’ve moved my MD5 hash lookup application to http://md5.benramsey.com/, where it will live on a permanent basis.