Salting your Passwords

Examples in this article will be with salted passwords. Salting the password lessons the risk of dictionary attacks. For example, if I were to use a password of ‘password’. That hash is common and very susceptible to a dictionary attack. However, if the application salted all passwords with a random string like ‘as87f56safg8’, then the resulting stored password would be the encrypted version of ‘as87f56safg8password’, which is not susceptible to a dictionary attack, regardless of how weak of a password provided by the end-user.

MD5 Encryption

Using PHP’s md5() function allows you to easily create a password hash.

Here is the recommended way to encrypt a password:

<?php
	$salt = "7dA+U^@'aF7FLvJ";
	$password = 'secret';
	
	$hash = md5($salt . $password);
	echo $hash;
	
	/* returns: ade1373f24d328d9229d57f284871cd0 */
?>

Since this is a one-way hash, you can’t decode it to compare to verify with a user-supplied password. Instead, take the user-supplied password, encrypt it with the same md5() function & salt, and compare it to the hash stored in your database. If the hashes match, then the supplied password is correct.

SHA1 Encryption

This is very similar to md5(), except using another algorithm.

<?php
	$salt = "7dA+U^@'aF7FLvJ";
	$password = 'secret';
	
	$hash = sha1($salt . $password);
	echo $hash;
	
	/* returns: be58ee5f202d6a9bfcd13ad4ac3552b1367e30db */
?>

There is an alternative PHP function, crypt(), but I find these other two functions easier to use.