PHP Security – using salt to improve password protection


Security on your page is everything. If you have login form, it is most important to secure it, because login forms are first thing hackers look on the site. First line of protection is never to store passwords in plain text.

Common thing today is using one way encryption on passwords, so even you can not decrypt them. People most commonly use md5 algorithm to hash passwords. But md5 is not enough and it can be broken.

Let me show you some simple ways of improving your one way encryption. One of the easiest to implement is using salt value (which is constant) to harden the password and then hash it with md5:

$password = 'mygreatPassword';
$salt = 'abfr6Yserthfg/$dfabrekjsaz';
$password = md5($salt.$password);

In above example, we are adding salt value in front of our password and hashing it altogether with md5 algorithm. Easy but effective. Still, big brute force attack can break this.

Let us spice up things a little by combining several algorithms for hashing, making a double hashing algorithm:

$password = "mygreatPassword";
$salt = sha1(md5($password));
$password = md5($password.$salt);

As you can see, we first hashed the password using double hashing algorithm (md5 and sha1) and created salt value. After that, we combined real password with generated salt value and hashed it again with md5. The advantage is that this way alt value is random and it changes, making it nearly impossible to break. I mean, if you can wait for a million years and have a super computer on your hands, try to break it.

About the author

Zvonko Biškup

A passionate web developer with more than 13 years experience in PHP and other web related technology. My main interest is WordPress and new PHP frameworks.
Owner of Influendo Programming.
Enjoys exploring new stuff and possibilities, using new technologies and just having fun developing awesome stuff.