Jump to content


Photo

MD5 and different hash values


  • Please log in to reply
10 replies to this topic

#1 extrovertive

extrovertive
  • Members
  • PipPipPip
  • Advanced Member
  • 235 posts

Posted 12 August 2006 - 08:40 AM

I'm using MD5 to hash passwords stored in a database.

However, as I insert test entries using the same password, I see the same hash value. That means, if I know my password and if another user has the same hash value in the database, that person has the same database as me.

How do I make MD5 hashing value all different even if users enter the same password? How does adding a salt to MD5 in PHP work?

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 12 August 2006 - 08:44 AM

<?php
$salt="dsjfwngngiu3w";
$pass=$_POST['password'];
$hash=md5($salt.$pass);
?>

Orio.
Think you're smarty?

(Gone until 20 to November)

#3 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 12 August 2006 - 09:02 AM

Err, why is ths a problem? If someone has access to your database then you should be worried.

Perhaps ive misunderstood.

#4 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 12 August 2006 - 09:18 AM

I honestly dont see the problem. It's entirely possible I have the same password as someone on these very forums, that doesn't instantly give me access to their account, because I dont know who if anyone has the same password as me to begin with.

#5 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 12 August 2006 - 10:34 AM

I think what he entered to the table was just md5($salt). that's why everything looks the same. Take a look at my first post. This is the way it should be done.

Orio.
Think you're smarty?

(Gone until 20 to November)

#6 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 12 August 2006 - 10:44 AM

Hi,
I am very interested in what 'salt' means/does could someone please elaborate, thks.

#7 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 12 August 2006 - 11:51 AM

Salt is a string you add to every password (there are alot of methods doing that) before you hash it, so if someone will get the md5 password of someone he will have a harder time cracking it.

Orio.
Think you're smarty?

(Gone until 20 to November)

#8 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 12 August 2006 - 11:55 AM

So can this salt string be any characters you wish to put in the string or does there have to be a fixed length or types of characters

#9 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 12 August 2006 - 12:01 PM

Just a random string. In my example salt was:
$salt="dsjfwngngiu3w";

You can make it even more complex with things like:
$salt_a="jgweg";
$salt_b="439683nfg";
$hash=md5($salt_a.$password.$salt_b);

You just have to keep in mind that every time a user log's in you need to add those strings before and after the password inorder it to match the one in the database.

Orio.
Think you're smarty?

(Gone until 20 to November)

#10 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 12 August 2006 - 12:03 PM

Cool. I guess you would want to place the salt within an hidden file or that would defeat the object of salt?

#11 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 12 August 2006 - 12:06 PM

Just place it in you script, or in a included file (with a php extension).

Orio.
Think you're smarty?

(Gone until 20 to November)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users