MD5 stands for Message-Digest algorithm 5 and has a 128bit hash value. An MD5 hash is typically a 32-character hexadecimal number. At first, there were problems cracking MD5 hashes, but in later time there have been something called a “rainbow table” which easily can crack md5 hashes. So, what to do to protect ourself against those rainbow tables? Use something called a “salt”. The reason why you have to add salts is because lot’s of people are using words such as “mydamncatsname” or “ilovejesus” which hashes have been generated and then if you compare your databases password-hash against the generated list, you will find out which password you have in your database. If you then have a salt such as “fsjlk4u9pfs” and the hash would generate the word ilovejesusfsjlk4u9pfs or something, which is not likely at all that a dictionary will have.
So how to implement this salt then? Does it involve some tremendous programming effort? No. It’s the easiest thing you can do.
To simplify this, heres a code snippet of how a salt works.
<?php
$salt = "kfoe56";
$hash = md5($salt.$password);
?>
That is a static salt, which is better then nothing, but not far as good as a dynamic salt. There is absolutely no reason why to use a static salt since it’s not any harder to create a dynamic salt.
A dynamic salt can be something that uses the userid or something like that. This is a pretty good example of how a dynamic salt can be used:
<?php
$salt = $userid;
md5($salt.md5($password.$salt));
?>
The time to crack that password is by far longer then a normal hash.
So please, use some damn salt when you store your users passwords.
Comments ( 0 )