MD5 Salt Login System

Question

Hey guy's i'm trying to make a login system which uses MD5 encryption for the password. I have the encrypting to work and all it's just for some reason when i enter the password "palmer" into the login page and click the login button i made it send me to a page where it tells me encrypted password and using "palmer" as the password it outputs this "Duncan Logged in using password 4844fd4088ef5278ad18f892808ebda8 - palmer". THe password in the database when encrypted is "4669a6b46c8d891b373cfcd664dff6". Why are the two passwords different? I am using the same Salt(the salt is "a123b123".

Below is my code which encrypts password on register:

$password = $_POST['password'];

$md5pass = md5($salt.md5($password));

Below is my login code.

<?php
session_start();
include('config/config.php');

$email = $_POST['email'];
$password = $_POST['password'];
$pass2 = md5($salt.md5($password));

$check = mysql_query("SELECT `email`,`password` FROM user WHERE (`email`='$email' AND       `password`='$pass2')") or die(mysql_error());

$count = mysql_num_rows($check);

//if($count == 1) {
$_SESSION['user'] = strtoupper($user);
//header('Location: /panel/index.php');
echo("Duncan Logged in using password $pass2 - $pass");
//} else {
//$_SESSION['errormsg'] = "<div id='error'><strong>Error:</strong> Invalid Username or Password!</div>";
//header('Location: index.php');
//}
?>

"i'm trying to make a login system which uses MD5 encryption for the password" - MD5 is broken: you know that right? — Mitch Wheat, Aug 15 '11 at 09:02
Please escape your `$_POST` inputs as you put them in your query, no point in having a login if it's trivial to bypass. — Dunhamzzz, Aug 15 '11 at 09:06
I mean broken as in broken: http://en.wikipedia.org/wiki/MD5 — Mitch Wheat, Aug 15 '11 at 09:07
You can crack a 'normal' password in about six seconds on a modern day pc.See this question: http://stackoverflow.com/questions/1581610/help-me-make-my-password-storage-safe — Grad van Horck, Aug 15 '11 at 09:07
Ok i see, what is another good way to encrypt? @Dunhamzzz Which parts do you mean? sorry i'm new at php :S — Duncan Palmer, Aug 15 '11 at 09:11

knittl · Answer 1 · 2013-07-03T16:06:31.100

you have to store your salt – and please, use a random salt, this way two users with the same password will get a different digest! – somewhere for later use:

$salt = sha1(getRandomSalt());
$digest = sha1($password.$salt).'$'.$salt; // use sha1 instead of md5

later you can check the provided password with the same salt:

list($stored_pw, $stored_salt) = explode('$', $stored_digest);
if($stored_pw == sha1($user_provided_pw.$stored_salt)) {
  echo 'user provided correct password';
}

score 3 · Answer 2 · edited May 23 '17 at 11:55

3

You should really use bcrypt for this. There is more on bcrypt on previous Stack Overflow post How do you use bcrypt for hashing passwords in PHP?

bcrypt is considered the most secure way to implement password hashing with salt because it is slow - much slower than an MD5.

edited May 23 '17 at 11:55

Community

1
1

answered Aug 15 '11 at 09:19

Fenton

241,084
71
387
401

score 2 · Answer 3 · answered May 12 '13 at 15:36

Just a little comment to knittl's solution from above:

You need to replace the line

if($stored_pw = sha1($user_provided_pw.$stored_salt)) {

by

if($stored_pw == sha1($user_provided_pw.$stored_salt)) {

to get it working.

(I tried to add it to knittl's post, but it says edits need to be at least 6 characters long)

MD5 Salt Login System

3 Answers3