Darren Davies is partially correct in saying that you should use a salt - there are several issues with his claim that MD5 is insecure. Show
You've said that you have to insert the password using an Md5 hash, but that doesn't really tell us why. Is it because that's the format used when validatinb the password? Do you have control over the code which validates the password? The thing about using a salt is that it avoids the problem where 2 users have the same password - they'll also have the same hash - not a desirable outcome. By using a diferent salt for each password then this does not arise (with very large volumes of data there is still a risk of collisions arising from 2 different passwords - but we'll ignore that for now). So you can aither generate a random value for the salt and store that in the record too, or you could use some of the data you already hold - such as the username:
(I am assuming that you've properly escaped all those strings earlier in your code) The MD5 encryption algorithm is still one of the most used in the world, and specially in MySQL tables. When inserting a new line with PHPMyAdmin, there is a dropdown menu on the left of the field. Pick the MD5 function in the list and enter the value in clear text. It will automatically convert it in MD5 on insertion. Today, I’ll give you a step-by-step tutorial on how to create a table to store MD5, how to set your MD5 Password and how to manage this in PHP directly.
Creating a demo tableBefore going further, I’ll create a basic MySQL table to show you how it
works.
Here is the corresponding MySQL query to create the table if you want to try while reading this post:
And the result: We are now ready to insert a new line in this table! Ethical Hacking Course More details Insert a new line with PHPMyAdminIn PHPMyAdmin, you can insert new lines with a form, you don’t need to type the MySQL query each time. In this part, I’ll show you how to do this, but if you are also interested in the MySQL query, I’ll give it to you just after. Here is how to set a MD5 password while inserting your values in PHPMyAdmin: Once done, the lines look like this: The password is correctly encrypted in the field Set a MD5 Password in MySQL and/or PHP directlyIn this part, I’ll show you how to do the same thing directly in MySQL, but also with PHP. MySQLIf you followed the previous method with PHPMyAdmin, you may have seen the MySQL query displayed on your screen.
So, we just add the “MD5()” function to the password in text, and it will insert a line with a MD5 hash. By the way, the auto_id field is not mandatory, and will be filled automatically even if you don’t set it to “NULL” in the query.
Once you have the MySQL Query set for your new users, you can click on “SQL” and paste it directly in PHPMyAdmin. PHPYou now know almost everything, the only step missing is how to check the used password is correct on sign in. Create a user in PHPIn PHP, there is a pack of functions, starting by mysqli_* that allow you to work with MySQL database. Let’s start immediately with the code sample:
Here is a short explanation:
Verify a user and password in PHPGood, now we have seen how to set a MD5 password in our table, from PHPMyAdmin or directly with PHP. The MD5 algorithm is not reversible, so the only way is to encrypt the password typed in the form before trying to match it with the database.
It’s a basic example you need to
complete, but it should give you an idea on how it works. Security issues with MD5If you don’t know, you have to be cautious when you use the MD5 algorithm to store passwords. It’s one of the less secure currently in the world, so if you can it’s better to avoid it. Why is MD5 not secure?I already wrote an article on the topic, so I’ll give too many details in here, but in short, there are at least 3 reasons why using MD5 is not a good idea:
If you want to know more about these reasons, check my post on “Why MD5 is not safe?“. What you can do to improve security?You can find more details in the linked post above on how to improve security with several solutions. A salt is a word you add before and/or after the password to encrypt. When someone tries to sign in, you will do the same thing, you take the password entered the form, and you add the salt before hashing the whole string in MD5. An example with salt in PHPIn PHP, using salt is very similar to what we have already done earlier:
The only change in PHP is the concatenation between salt and password (“.”). If this process with salt is still complicated for you, feel free to check my post on MD5 Salt here. ConclusionThat’s it, you now have a good overview on how to use MD5 password in PHPMyAdmin, and also in MySQL and PHP. I hope this post was useful for you, please share it on your favorite social network or forum! 🙂 How do I find the MD5 password in MySQL?$salt = 'Vwm'; $password = '123123'; echo md5($salt . md5($password . $salt) . $password);
How encrypt MD5 in PHP?PHP md5() Function. Calculate the MD5 hash of the string "Hello": $str = "Hello"; echo md5($str); ?> ... . Print the result of md5(): $str = "Hello"; echo "The string: ". $str."<br>"; ... . Print the result of md5() and then test it: $str = "Hello"; echo md5($str); if (md5($str) == "8b1a9953c4611296a827abf8c47804d7"). How do I change my MD5 password?To do this, find the “MD5” function in the dropdown list.. The “auto_id” needs to stay empty (will be automatically set). Type the “login” you want to create.. Enter the “password” in clear mode in the value column.. Can we decrypt MD5 in PHP?How to Decrypt MD5 Passwords in PHP? The MD5 cryptographic algorithm is not reversible i.e. We cannot decrypt a hash value created by the MD5 to get the input back to its original value. So there is no way to decrypt an MD5 password.
|