Skip to content

PHP Security – using salt to improve password protection

Security on your page is everything. If you have login form, it is most important to secure it, because login forms are first thing hackers look on the site. First line of protection is never to store passwords in plain text.

Common thing today is using one way encryption on passwords, so even you can not decrypt them. People most commonly use md5 algorithm to hash passwords. But md5 is not enough and it can be broken.

Let me show you some simple ways of improving your one way encryption. One of the easiest to implement is using salt value (which is constant) to harden the password and then hash it with md5:

[code lang=”php”]
$password = ‘mygreatPassword’;
$salt = ‘abfr6Yserthfg/$dfabrekjsaz’;
$password = md5($salt.$password);

In above example, we are adding salt value in front of our password and hashing it altogether with md5 algorithm. Easy but effective. Still, big brute force attack can break this.

Let us spice up things a little by combining several algorithms for hashing, making a double hashing algorithm:

[code lang=”php”]
$password = “mygreatPassword”;
$salt = sha1(md5($password));
$password = md5($password.$salt);

As you can see, we first hashed the password using double hashing algorithm (md5 and sha1) and created salt value. After that, we combined real password with generated salt value and hashed it again with md5. The advantage is that this way alt value is random and it changes, making it nearly impossible to break. I mean, if you can wait for a million years and have a super computer on your hands, try to break it.


1 thought on “PHP Security – using salt to improve password protection”

Comments are closed.