I know, I didn’t want to believe it either. Any good developer knows that it’s important that you encrypt any sensitive information that you store in a database. I usually use an md5 hash or something similar. Only earlier this week did I learn that a mere md5 hash is not enough. Think about it anyone can make a hash out of any word they want. All that needs to happen is to use a dictionary attack on a system but instead of using the actual dictionary words, do an md5 on the words first, and use them. It’s so simple and I hadn’t even thought of it before.

What’s the solution? The solution is to salt your hash! I found this easy tutorial that explains why an md5 is not sufficient (but better than nothing) and how to salt your hash with one easy method: http://phpsec.org/articles/2005/password-hashing.html

A salt is a random, generated word of pre-defined length that is pre-pended onto the term that you want to hash. This adds another level of encryption. You save both the salt and the hash into your database. To authenticate, for example, you would enter in your username and password. The username would allow the system to retrieve the corresponding salt. You would then add the salt to the password entered by the user and do an md5 hash on the concatenated string. Simply compare the hashed password in the database with the hashed concatenated string. All of this can be summarzied with this short php function found in the phpsec.org article:

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}

return $salt . sha1($salt . $plainText);
}

The only difference here is that they used an sha1 instead of an md5. If anyone has any comments on the effectiveness of a salt and hash, please let me know. Perhaps there’s an even better way to go about a secure authentication.