Encrypting PHP (Usernames & Passwords)
MD5 Encryption on the back end of a PHP Admin Panel
Every once in awhile you need to hash a string real quick. Create a MD5 hash from a string using this MD5 Hash Generator. The strings entered and the MD5 hashes created on this page via the demo below are discarded after generation. They are not stored. Don’t trust me on that though! Use to demo to create your own MD5 hash page. If you are new to hashing, you might want to read the information below before using or downloading the MD5 generator script at the bottom of the page.
A little more information on hashing
MD5 Hashing is when you take a plain text string and use a cryptographic function to garble it up into a hash. Unlike encryption, hashing is a one way street and there is no “formula” for reversing the hash back into plain text. The great thing about hashing is that it is consistent. The MD5 hash for one of the most common user passwords, “monkey”, will alway be “d0763edaa9d9bd2a9516280e9044d885”.
So instead of storing your user’s passwords in plain text format you should hash them then store them. Next time your visitor logs into your website, they will enter their username and password, you will run the password string that they supply during login through the MD5 hash function again, and look for the match in the user table of your database.
Everything is secure now, right? Not so fast. We now know that the MD5 hash for “monkey” will always be “d0763edaa9d9bd2a9516280e9044d885”. So now that ‘monkey’ and it’s hash have been matched – that string and hash combo have been compromised! In fact, every common password and all dictionary passwords have already been matched with their MD5 counterparts and made available for reverse lookup. It would simply take a few simple queries to match the MD5 with a string.
So now we are back where we started with a database table full of MD5 hashed passwords that could compromise our site and users, should a hacker gain access to our table of login data.
Overcoming MD5 Weakness with Salting
The consistency of MD5 hashing is both its greatest strength and weakness. We can patch this flaw with “salting”.
Unless you have really strict password guidelines, most users will choose a short, simple password for their login. Passwords like abc123, password, and… “monkey” will be commonly used.
Salting is when you append an additional string to your user’s password before hashing it.
This will make even a stupid simple password like “monkey” unmatchable should your logins be compromised.
Here is how we would salt the stupid simple “monkey” password:
$password = 'monkey';
//your secret, site salt.
$salt = 'S@lt3d!';
//join the salt to the password any way you see fit
$salted_password = $password.$salt;
//hash the password/salt combo
$hash = md5($salted_password);
//simple 'monkey' password hash has now been disguised as
//'09f4dafc78c123b6bbdfcda13153fe2f'.
So now ‘monkey’ has been disguised. Whenever our registered user returns to our site and logins, all we have to do is consistently join our secret salt back to the users password before hashing and comparing the results stored in our login database.