[zoliky]

I want to generate a random MD5 hash for each registered user as password. I know, MD5 is one-way hash.
If user login after registration I want to compare a generated MD5 hash with MD5 hash from database.

I don't really know which is the better way to generate this MD5 hash. This formula is enough ? :

MD5 function + plain text password = md5 hash

I appreciate any suggestion.
Thanks !

[stormshadow]

is make a secret word... that only you know ( random ) you dont need to remember it... such as phebEs8e

this way if someone does access your db they cant reverse many passwords because it isnt just their password...

for instance
someone stores their password as password
then it md5s it as 5f4dcc3b5aa765d61d8327deb882cf99

This can easily be reversed with the most minor md5 reverse databases out there...

but if you do a word in front you should be pretty secure...

the code would be

PHP Code:

$md5pass = md5("phebEs8e". htmlspecialchars($_POST['password])); 

Hope that helps...

[zoliky]

stormshadow thank you very much !

I read this issue in Essential PHP Security (2005) - Oreilly

Quote:

Using the MD5 of a user's password is a common approach that is no longer considered particularly safe. Recent discoveries have revealed both weaknesses in the MD5 algorithm , and many MD5 databases minimize the effort required to reverse an MD5. To see an example, visit http://md5.rednoize.com/.

The best protection is to salt the user's password using a string that is unique to your application.

"phebEs8e" is a salt. But what happen is someone stole my PHP code and see the salt?

[Nico]

You can create a personal salt for each user. You can use for example the first the characters of his username or email address.

PHP Code:

$password = md5(substr($username, 0, 3) . $pass);



// Or



$password = md5('somesalt' . substr($username, 0, 3) . $pass); 

Just play with it and be creative.

[zoliky]

Thanks !
And when I change the username or password from administrator panel I need to update the hash ?

[zoliky]

Quote:

Originally Posted by Nico

You can create a personal salt for each user. You can use for example the first the characters of his username or email address.

PHP Code:

$password = md5(substr($username, 0, 3) . $pass);



// Or



$password = md5('somesalt' . substr($username, 0, 3) . $pass); 

Just play with it and be creative.

This personal salt work for me, I do something like :

PHP Code:

$username = $_POST['username'];



$salt         = substr($username, 0, 3);

$pwdhash  = md5($salt . md5($password . $salt)); 

Now, user login as:

user
password

And work good. But exist a problem, if user login as;

User
password

the username is case-sensitive. And : "User" and "user" generate different MD5 salt. This is not a good idea.

Exist a way to solve this problem ? I don't need case-sensitive usernames, only case-sensitive passwords.

Thanks

[End User]

Quote:

Originally Posted by zoliky

Exist a way to solve this problem ? I don't need case-sensitive usernames, only case-sensitive passwords.

Then convert the usernames to lowercase before using them:

$username = strtolower($username);

[bokehman]

Why do you need this level of security? What are you protecting? My view is don't bother with this unless you really have something worth protecting. To be quiet honest if your siteis comprimised to this extent do you really think someone would both trying to crack a hashed password so they can log in to the site in the conventional fashion? They already have free rein to do as they please, why would they bother?