So you're using MD5 to encrypt your users passwords and you think it's fully secured? In this tutorial, I'll explain how to secure your MD5 passwords and how they work.
Many people think the MD5 hash string is the password but encrypted. It's in fact a 32-character hexadecimal number corresponding to the string you entered. It does not contains your password at all. But is it possible to login even if you don't know the real password? Yes...
How it works
In a PHP script, you can simply use the md5() function to generate the MD5 hash from a string.
$string = 'Something';
$hash = md5($string);
The above script is going to output: 73f9977556584a369800e775b48f3dbe
Making it secure
While it might look secure and impossible to break, it's not. If 2 prefixes have the same hash, a similar prefix can be randomly generated and its going to work. So you can basically login using another password that generate the same MD5 hash. Multiple websites have the ability to reverse a MD5 hash into a usable password.
The solution is to use a Salt before generating the MD5 hash. A salt is a small string containing random characters that are not known by the user. The hash would then be generated this way:
$string = 'something';
$salt = 's+(_a*';
$hash = md5($string.$salt);
$string is the password entered by the user and $salt is a randomly generated string.
The hacker can now have fun trying to reverse the hash but he's going to get a password with the salt. Entering that password is going to return invalid login! Why? The salt is being included twice:
hash = md5 ( ( password + salt ) + salt )
This method is used by many commercial applications (Invision Power Board 2.x for example).
Invision Power Board Vulnerability
Invision Power Board (versions below 2.2) still store the normal MD5 hash without the salt if you upgraded from an old version. In order to keep your passwords secure, run this query in your database:
UPDATE ibf_members SET legacy_password = ''