Creating a Secure Md5 Hash for Storing Passwords in a DatabaseWritten by Mark Sanborn: May 19, 2008
Often times we, as developers are required to create authentication systems. When developing an authentication system it is always best to make it as secure as possible. One of the problems that arise when creating an authentication system is storing the username and password of our users. One way to store the username and password would be to simply make a column in a table called usernames and a column called password and store each user’s login credentials in plain text.
Storing login credentials in plain text would certainly be easy to implement; however, it creates more risk to our users. Anyone with access to the database could possibly view the login passwords of anyone of the users. Since users often times use the same password for other applications and services, you as a developer or service would have added responsibility and risk since you know their username and password if stored in plain text. A better solution would be to not even know the user’s passwords ourselves.
But, if we don’t know the password how could we possibly authenticate a user? The standard way of doing this is using what is called the md5 hash. You can think of an md5 hash as a one-way encryption. Once an md5 hash is created there is supposed to be no way to reverse it. What we can do instead is compare the hash we have stored in our database (the user’s password) with a hash of what the user typed in. If the two hashes match, whatever it was the user typed in previously, must have been the same thing he typed in when we stored his password. Thus we can verify the password without actually knowing what the password is.
A Simple Md5 Hash
<?php $password = 'mypassword'; $hashedPassword = md5($password); echo $hashedPassword; ?>
The code above will output ‘34819d7beeabb9260a5c854bc85b3e44’. Remember now, there is supposed to be no way that this hash can ever be reversed to find the original meaning, in our case the user’s password; however, attackers have created what is called rainbow tables that store known hashes and compares them eventually finding a match. When storing sensitive information like passwords we can’t afford to have someone reversing our hashes.
Reversing an Md5 Hash
Reversing a simple md5 hash is quite easy. This website will reverse an md5 hash for you. In my example I typed in, ‘34819d7beeabb9260a5c854bc85b3e44’ and it showed the original text, ‘mypassword’. As you can see this method of hashing will not be secure enough for storing passwords in a database. We need something more secure.
Making an Md5 Hash More Secure
To make the md5 hash more secure we need to add what is called “salt”. Salt in this sense of the meaning is random data appended to the password to make the hash more complicated and difficult to reverse engineer. Without knowing what the salt is, rainbow table attacks are mostly useless.
<?php $password = 'mypassword'; $salt='i_always_take_a_sentence_or_two_and_add_some_numbers_8342394'; $saltedHash = md5($pass . $salt); echo $saltedHash; ?>
Now obviously if an attacker figures out what salt you use the entire hash system is flawed. So keep your salt safe.
As Jade suggested in his comment below, you can decrease the chance of someone reversing an md5 hash by simply having a more complex password. See, Picking Strong Passwords that you can Remember for more info on picking a complex password that is easy to remember.
Need to print shipping labels on your site?
Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.