Creating a Secure Md5 Hash for Storing Passwords in a Database
Often times we, as developers are required to create authentication systems. When developing an authentication system it is always best to make it as secure as possible. One of the problems that arise when creating an authentication system is storing the username and password of our users. One way to store the username and password would be to simply make a column in a table called usernames and a column called password and store each user’s login credentials in plain text.
Storing login credentials in plain text would certainly be easy to implement; however, it creates more risk to our users. Anyone with access to the database could possibly view the login passwords of anyone of the users. Since users often times use the same password for other applications and services, you as a developer or service would have added responsibility and risk since you know their username and password if stored in plain text. A better solution would be to not even know the user’s passwords ourselves.
But, if we don’t know the password how could we possibly authenticate a user? The standard way of doing this is using what is called the md5 hash. You can think of an md5 hash as a one-way encryption. Once an md5 hash is created there is supposed to be no way to reverse it. What we can do instead is compare the hash we have stored in our database (the user’s password) with a hash of what the user typed in. If the two hashes match, whatever it was the user typed in previously, must have been the same thing he typed in when we stored his password. Thus we can verify the password without actually knowing what the password is.
A Simple Md5 Hash
<?php $password = 'mypassword'; $hashedPassword = md5($password); echo $hashedPassword; ?>
The code above will output ‘34819d7beeabb9260a5c854bc85b3e44‘. Remember now, there is supposed to be no way that this hash can ever be reversed to find the original meaning, in our case the user’s password; however, attackers have created what is called rainbow tables that store known hashes and compares them eventually finding a match. When storing sensitive information like passwords we can’t afford to have someone reversing our hashes.
Reversing an Md5 Hash
Reversing a simple md5 hash is quite easy. This website will reverse an md5 hash for you. In my example I typed in, ‘34819d7beeabb9260a5c854bc85b3e44‘ and it showed the original text, ‘mypassword‘. As you can see this method of hashing will not be secure enough for storing passwords in a database. We need something more secure.
Making an Md5 Hash More Secure
To make the md5 hash more secure we need to add what is called “salt”. Salt in this sense of the meaning is random data appended to the password to make the hash more complicated and difficult to reverse engineer. Without knowing what the salt is, rainbow table attacks are mostly useless.
<?php $password = 'mypassword'; $salt='i_always_take_a_sentence_or_two_and_add_some_numbers_8342394'; $saltedHash = md5($pass . $salt); echo $saltedHash; ?>
Now obviously if an attacker figures out what salt you use the entire hash system is flawed. So keep your salt safe.
As Jade suggested in his comment below, you can decrease the chance of someone reversing an md5 hash by simply having a more complex password. See, Picking Strong Passwords that you can Remember for more info on picking a complex password that is easy to remember.
Holy crap — I didn’t know reversing an md5 hash was so easy. Good thing I’m paranoid and salt everything.
While salting is the preferred way to stop someone from reverse hashing, having informed users with properly complex passwords make reverse hashing take entirely too much time.
My buddy down in the office was having fun once creating rainbow tables, so we all had to change our common passwords. When we started doing some distributed computing with Condor and needed jobs to test it he was like “why don’t we use it to make rainbow tables?” I could have slapped him.
@Jade: The the problem is having informed users. As you know I worked at the University for a few years and one of the network admins did some sort of sitewide whitehat password attack on all of the departments around campus. He reported back that over 50% of the passwords were varients of the word, “Griz” (the college team).
Thus they had to implement a group policy that forced users to change their passwords and forced complexity.
The problem was, they all started writing down their passwords and sticking them to the monitor.
Users are bad…mmkay
Thats funny about your buddy. I remember working for the university we would always have nerdy ways of testing new equipment.
I just today just found another benefit to using MD5 and salting to store passwords instead of the built in password function in mysql. We recently upgraded to the newest version of mysql that uses a different algorythm for the password() function. had we just MD5 and salted the passwords it would have saved us alot of hassle.
That is awesome about the griz password whitehatting. I don’t doubt it one bit. I remember the website genmay did some password snooping and found 1/4 of their members used “password” or their username as their password. Stupid, stupid stupid.
[...] to encrypt user info with php - Something I didn’t think about when I wrote my article about hashing stored passworrds was adding the username of the hash. This along with salt creates a stronger hash. [...]
[...] to encrypt user info with php - Something I didn’t think about when I wrote my article about hashing stored passworrds was adding the username of the hash. This along with salt creates a stronger [...]