RedTeam Labs

Information Security Vulnerablities, Exploit Code and News

CATEGORIES:      Company News General Industry News Research List View

MD5 Password Hashing

Category: Research Tags: MD5, Hash, Password, PHP, Code
Posted by: labs@redteamsecure.com (Jeremiah Talamantes) on 2009-12-14 15:44:29

Gone are the old days of relying on MD5 hashing of passwords in a database to secure your passwords (then of course, did you ever truly rely on that?) A handy little site called MD5 Decrypter (http://www.md5decrypter.com/) can aid an attacker in finding out that hashed password. To be honest, "aid" is an understatement. The only thing the attacker needs to do is paste the hash in the input box and click a button. Of course, this assumes the attacker has gained access to the password either by database compromise or by sniffing the wire.

So to make things a little more difficult to compromise, add a two-factor salt to your MD5. This is definitely not a end-all solution. If possible, elect to use a strong encryption algorithm in place of hashing. If your client or organization is under regulatory restriction such as PCI, you should use an industry-recognized encryption algorithm.

See the sample PHP code below:



     // Get user input

     $password = filter_var($_POST['fld_password'], FILTER_SANITIZE_STRING);



     // Salt variables

     $salt_1 = 'just-some_RANDOM-stuff-12345';

     $salt_2 = 'M0r3-_RANDOM-stuff-123453434';



     // Create the hash

     $hash = md5($password . $salt_1 . $salt_2);



Share |



Follow Our Twitter

Follow Our RSS

Share this: |


Categories



DISCLAIMER
    The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.


Contact Us

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com