Publishing System Settings Logout Login Register
Understanding MD5 password encryption and security
TutorialCommentsThe AuthorReport Tutorial
Tutorial Avatar
Rating
Add to Favorites
Posted on December 15th, 2006
28146 views
PHP Coding
Overview

So you're using MD5 to encrypt your users passwords and you think it's fully secured? In this tutorial, I'll explain how to secure your MD5 passwords and how they work.

Many people think the MD5 hash string is the password but encrypted. It's in fact a 32-character hexadecimal number corresponding to the string you entered. It does not contains your password at all. But is it possible to login even if you don't know the real password? Yes...

How it works

In a PHP script, you can simply use the md5() function to generate the MD5 hash from a string.

[code=PHP]
<?php
$string = 'Something';
$hash = md5($string);
echo $hash;
?>
[/code]

The above script is going to output: 73f9977556584a369800e775b48f3dbe

Making it secure

While it might look secure and impossible to break, it's not. If 2 prefixes have the same hash, a similar prefix can be randomly generated and its going to work. So you can basically login using another password that generate the same MD5 hash. Multiple websites have the ability to reverse a MD5 hash into a usable password.

The solution is to use a Salt before generating the MD5 hash. A salt is a small string containing random characters that are not known by the user. The hash would then be generated this way:

[code=PHP]
<?php
$string = 'something';
$salt = 's+(_a*';
$hash = md5($string.$salt);
?>
[/code]

$string is the password entered by the user and $salt is a randomly generated string.

The hacker can now have fun trying to reverse the hash but he's going to get a password with the salt. Entering that password is going to return invalid login! Why? The salt is being included twice:

hash = md5 ( ( password + salt ) + salt )

This method is used by many commercial applications (Invision Power Board 2.x for example).

Invision Power Board Vulnerability

Invision Power Board (versions below 2.2) still store the normal MD5 hash without the salt if you upgraded from an old version. In order to keep your passwords secure, run this query in your database:

[code=SQL]
UPDATE ibf_members SET legacy_password = ''
[/code]
Premium Publisher
Dig this tutorial?
Thank the author by sending him a few P2L credits!

Send
NGPixel

Lead Programmer at Pixel2Life

My tutorials are mostly about PHP, MySQL, XHTML, CSS and Fireworks.
View Full Profile Add as Friend Send PM
Pixel2Life Home Advanced Search Search Tutorial Index Publish Tutorials Community Forums Web Hosting P2L On Facebook P2L On Twitter P2L Feeds Tutorial Index Publish Tutorials Community Forums Web Hosting P2L On Facebook P2L On Twitter P2L Feeds Pixel2life Homepage Submit a Tutorial Publish a Tutorial Join our Forums P2L Marketplace Advertise on P2L P2L Website Hosting Help and FAQ Topsites Link Exchange P2L RSS Feeds P2L Sitemap Contact Us Privacy Statement Legal P2L Facebook Fanpage Follow us on Twitter P2L Studios Portal P2L Website Hosting Back to Top