MD5 and Salt in DB/Cookie/Session

[Thierry]

I'm currently trying to hash a password value with a salt and then encrypt that with MD5 several times.

Right now I'm using this function I made.

 

    // Encrypts a key using MD5 and strengthens the key by the given amount of bits
    function encryptMD5($string, $bits = 0, $msecDelay = 0){
        
        // Encrypt the string as normal
        $encrypted = md5($string);
        
        // Start looping
        for($i = 0; $i < pow(2, $bits); ++$i){
            
            // Start encrypting
            $encrypted = md5($encrypted);
        }
        
        //We might want to pause the script for a while in case of a brute force attack
        usleep(($msecDelay*1000));
        
        //Return the key
        return $encrypted;
    }

 

It works fine, but I was wondering what I should store in my database.

The main reason I use this is so that you can't use a rainbow table on the password in the cookie/session.

However, currently I'm only storing the salt itself and the fully hashed password+salt value in the database.

 

This means however that when someone logs in, I have to hash their password with each salt to try and get a match.

If I end up with a lot of users, this could mean dozens or hundreds of salts to cross check with.

 

Should I store an MD5 value of only the password itself without the salt in my database rows for quick matching?

If the database ever got hacked, they could see the salt anyway, so having a single MD5 hash of the password in only the database (but not the cookie) shouldn't hurt, right?

 

All I really want to achieve is to avoid having bad people quickly determing the password via the MD5 hash in the session/cookie.