Jump to content

Archived

This topic is now archived and is closed to further replies.

extrovertive

MD5 and different hash values

Recommended Posts

I'm using MD5 to hash passwords stored in a database.

However, as I insert test entries using the same password, I see the same hash value. That means, if I know my password and if another user has the same hash value in the database, that person has the same database as me.

How do I make MD5 hashing value all different even if users enter the same password? How does adding a salt to MD5 in PHP work?

Share this post


Link to post
Share on other sites
[code]<?php
$salt="dsjfwngngiu3w";
$pass=$_POST['password'];
$hash=md5($salt.$pass);
?>[/code]

Orio.

Share this post


Link to post
Share on other sites
Err, why is ths a problem? If someone has access to your database then you should be worried.

Perhaps ive misunderstood.

Share this post


Link to post
Share on other sites
I honestly dont see the problem. It's entirely possible I have the same password as someone on these very forums, that doesn't instantly give me access to their account, because I dont know who if anyone has the same password as me to begin with.

Share this post


Link to post
Share on other sites
I think what he entered to the table was just md5($salt). that's why everything looks the same. Take a look at my first post. This is the way it should be done.

Orio.

Share this post


Link to post
Share on other sites
Guest huey4657
Hi,
I am very interested in what 'salt' means/does could someone please elaborate, thks.

Share this post


Link to post
Share on other sites
Salt is a string you add to every password (there are alot of methods doing that) before you hash it, so if someone will get the md5 password of someone he will have a harder time cracking it.

Orio.

Share this post


Link to post
Share on other sites
Guest huey4657
So can this salt string be any characters you wish to put in the string or does there have to be a fixed length or types of characters

Share this post


Link to post
Share on other sites
Just a random string. In my example salt was:
$salt="dsjfwngngiu3w";

You can make it even more complex with things like:
$salt_a="jgweg";
$salt_b="439683nfg";
$hash=md5($salt_a.$password.$salt_b);

You just have to keep in mind that every time a user log's in you need to add those strings before and after the password inorder it to match the one in the database.

Orio.

Share this post


Link to post
Share on other sites
Guest huey4657
Cool. I guess you would want to place the salt within an hidden file or that would defeat the object of salt?

Share this post


Link to post
Share on other sites
Just place it in you script, or in a included file (with a php extension).

Orio.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.