When someone users the md5 algourim (sp?) in PHP do they store the md5 word in the sql database and since it is not encodeable when someone inputs a password they run it though md5 and then check to see if the passwords are a match? Is this how it is done? And is this how vBulletin does it?

Yes basically.
When you register, your password is hashed.
It can never be unhashed.
Therefore when you login, your password you enter is hashed and if the two hashes match, it's a password match.

Dave.

PS; SP: Algorithm.

as for security:
md5 is a standardhashing function, so everyone can use it, and there can be already much lexica's to get the pw from a hash, just because of comparing it with hashes of a word list...

to increase security, you should modify the passwordstring with another value before to be prepared of this problem.
(vb3 does that afaik)

What if you had two passwords which were the same? Would the hash be the same?

- miSt

the hash of two identical passwords would alwasy be the same if you use the same hashing function :)

but if you combine the hashingfunction with the userid, it would be possible to get different values ;)

Hmmm does vb do the latter?

i don't know exactly but IIRC nope

FWIW, although hashes are not unique (i.e., two unhashed different strings can create the same MD5 hash), it's extraordinarily, incredibly unlikely that it'll happen.

vB's method:
1. Store an md5 of whatever in the database
2. To authenticate, compare md5(what the user entered on the form) to whatever.

So if Bob has a password which was "lalala" and Harry had a passwod which was "lalala" also then they would have the same hash?

- miSt

Yes.

But the user doesn't see that hash, so they are none the wiser.

Dave.

But on two different boards... the same passwords would have a different hash?

- miSt

In vB3, yes, because each vB3 installation has a unique "salt" for generating the hash. In vB2, the salt is the same and your hashed password on one board will be the same as your hashed password on another board, if the two passwords themselves are identical.

So in fact you could de-crypt md5 like any other code if you took the time?

- miSt

I guess if you took the time but from what I hear md5 is not ment to be de-crypted that is why we are compairing the two I guess. Correct me if I'm wrong.

It's not encrypted or decrypted. Hashing is a one-way algorithm. The only way to effectively "unhash" something is via a brute force attack.

Dean: as filburt stated, md5 is a hash-algorithm, (speak several different strings will produce the same hash)
so it's mathmatically impossible to decrypt it.
BUT: it is possible to find a way to find matching passwords if you know the hash, but it's a very hard way, just a little faster than bruteforce maybe ;)