MD5 and SHA Encryption – You must Salt Encrypted Passwords!

MD5 and SHA Encryption – You must Salt Encrypted Passwords!

What is “salting” in terms of encryption?

Salting is where you add an arbitrary value to a specific position of the password prior to encryption, which makes the encrypted value different than what the encrypted hash would be without the arbitrary value applied (salt).

For example, the md5 value of the password PRiIMJCbLAuif0GFOhk7dhRn0 is different to aPRiIMJCbLAuif0GFOhk7dhRn0 because of the difference at the start of the string.

In essence, adding salt prior to encryption will make it much more difficult for malicious users to find out the plain-text equivalent of the encrypted hash – for example, in the event that a database/security breach occurs on your website.

But how? It’s one-way encryption.

For the MD5 encryption algorithm (which can easily be used with the PHP md5() function, as an example), it is indeed one-way encryption but there are websites that have large md5 databases with their plain-text equivalent and so if you do not salt prior to encryption, malicious users will likely be able to “decrypt”, in this way, to find out what the plain-text value is.

And how do they do this? Very simply by comparison. These websites will encrypt a plain-text value you input and will compare it to all the encrypted hashes in the database, and if a database record is found, it returns the unencrypted (plain-text) value of the md5 hash.

So its very important you salt prior to encryption. Here’s an example using the PHP programming language:

$salt = “CbLAuif0GF0”;

md5($password); // no salt

md5($salt + $password); // with salt

If you are looking for reliable, affordable and secure web hosting services, visit our homepage.

Sharing

Pin It on Pinterest

Share This