We help IT Professionals succeed at work.

PHP / MySQL:  Password hash & salt

detox1978
detox1978 asked
on
Hi All,


I want to change the admin password to our intranet site.

The person who developed it has left good documentation, but i'm not that familiar with the concept of HASH and SALT.


Can you someone run me through the concept, and walk me through changing the password.


Many thanks
Comment
Watch Question

why do we store a password as a md5 hash in the database? Because we dont want a hacker to see the text equivalents of the passwords if our database is ever compromised. Since md5 is a one way hash no one can change it back to the original text password.

then why do we use a salt infront of the original password when we make that md5 hash if it is so secure and irreversible? Because there are now things called reverse md5 lookups. The way these work is they go through common words and letters and patterns and make the md5 hash for it. Then it stores the original text and the md5 hash. When you search for a md5 hash you make on their website it will show you the original text.

So lets say my password is "cat" most likely the md5 for "cat" has already been documented and stored on a website like that, so the attacker if he ever found the md5 password equivalent of my password could search that website and find that my text equivalent password is "cat'.

But now if we add a salt infront of our password before we do the md5 hash. Then things become much more difficult. Lets say my salt is "omg_lolololol_my_epic_salt" then if we add that salt infront of my text password "omg_lolololol_my_epic_saltcat" and do md5 on this, then the resulting md5 is completely differant to what it would have been for just "cat". Thus it will be basically irreversible.

And this is why you might as well use just one salt. It doesnt even matter if the hacker finds out what your salt string is. The computational power to go through all kinds of possible passwords with that salt attached infront just to find a password for a small website is, pointless.

and a few links from this website for reference

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_22984916.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_24713447.html
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_25105528.html

Author

Commented:
Thanks for the info....