« Problems with FLV and cPanel – Solution: MIME Types

MD5 Hashing and Salt

I just read a great post by Marcel Oelke who runs http://md5.rednoize.com/. He’s got a great way to access his webservice and then check if a user’s password is insecure. Even if you are using MD5 before storing the password, I certianly hope people aren’t storing passwords in cleartext, it may not be secure.

I know many people don’t add some salt before storing the password and MD5.rednoize.com really is the perfect example as to why you should be salting all passwords! Even if you have a single sitewide salt - prepending it to a user’s password before creating the hash is a powerful way to prevent the use of a database like the one which runs MD5.rednoize.com matching against your database. So basically in PHP:

$salt = “ThisSuperLongStringWillProtectMyUsersAgainstInsecurePasswords”;
$userpass = $_POST['pass'];
$md5pass = md5($salt . $userpass);

When your user then attempts to login you’ll duplicate the same process. I personally would keep the $salt in a file outside the normal webroot.

Now the chances of a site having the matching hash to your users password – even if the pass is ”word” is MUCH less likely. I hope this explains what it means to salt your passwords.

You can read Marcel’s post and learn how to call his webservice here:
http://blog.fl3x.de/2005/11/10/checking-password-strength-using-md5rednoizecom-and-ajax/

This entry was posted by JuanJose on September 13, 2007 at 11:47 am, and is filed under Development, PHP, PHP, Programming. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.

Comments (3)
Related Posts

#1 written by Ashutosh Grewal 1 year ago

That was good! :)

Quote
#2 written by austin 1 year ago

site wise salt is a bad idea…
suppose im registered at site a, i know my pass and my pass+salt is stored in my cookies (if i said remember me) so i check an md5 of my pass and see it doesnt match, i determine its using a salt, so i use my known pass and a rainbow table to brute force the salt. now i have to know in advance that all users will have that salt…or i can just guess well. and when i get someone elses digest i can use the known salt and a rainbow table and brute force the pass.
this is also true if the algorithm for making the salted md5 is known and the database in compromised such that i have access to the information used, i can then brute force just the same as if there WAS no salt.

Quote
#3 written by JuanJose 1 year ago

The problem with your assumption here is that you believe the salt would ever become available to you – just because you select a ‘remember me’ option does not mean we would ever store any sensitive data in a cookie. More likely I would send a session ID and a randomly generated auth code, which will get matched against various variables when attempting to validate your cookie.

So really, I don’t see a site wise salt as a bad idea, so long as we never send sensitive information (which we never should!).

Quote
Type your comment
You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong>

Notify me of follow-up comments by email.
Notify me of new posts by email.
Comment Feed for this Post

Go to Top

MD5 Hashing and Salt

Downloads

Subscribe to Blog via Email

Tweets

Top Commenters