{"id":42,"date":"2019-02-09T17:10:31","date_gmt":"2019-02-09T16:10:31","guid":{"rendered":"https:\/\/infosecscout.com\/?p=42"},"modified":"2023-11-22T13:02:42","modified_gmt":"2023-11-22T12:02:42","slug":"md5-salt-hash","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/md5-salt-hash\/","title":{"rendered":"What is MD5 Salt and How to Use It?"},"content":{"rendered":"\n<p>You probably already know that MD5 hashing is not a secure way to store passwords.<br>If you know our services, you probably know that\u00a0we have a giant database with many words, that can be decrypted in a few seconds.<br>By using salt, you could protect yourself a bit\u00a0more against this kind of database, but not so much &#8230;<\/p>\n\n\n\n<p>What is MD5 Salt and How to Use It?<br><strong>In cryptography, salt is a random string that\u00a0you add to an input word, to generate a different hash that with the word alone.<br>MD5 doesn&#8217;t really offer this feature in the cryptographic algorithm, but you can concatenate two strings to get the same result<\/strong>.<\/p>\n\n\n\n<p>In this post I&#8217;ll explain to you what is a salt in the MD5 algorithm, how to use it in your code, and why do you need to use it.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#What_is_an_MD5_salt\" title=\"What is an MD5 salt?\">What is an MD5 salt?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#A_database_without_MD5_salt\" title=\"A database without MD5 salt\">A database without MD5 salt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Adding_salt\" title=\"Adding salt\">Adding salt<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Use_a_static_salt_for_any_users\" title=\"Use a static salt for any users\">Use a static salt for any users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Use_a_dynamic_salt\" title=\"Use a dynamic salt\">Use a dynamic salt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Database_with_salt\" title=\"Database with salt\">Database with salt<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Why_do_you_need_to_use_salt_with_MD5\" title=\"Why do you need to use salt with MD5?\">Why do you need to use salt with MD5?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#How_to_decrypt_a_MD5\" title=\"How to decrypt a MD5?\">How to decrypt a MD5?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Why_do_you_need_to_use_salt\" title=\"Why do you need to use salt?\">Why do you need to use salt?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#How_to_add_salt_into_a_MD5\" title=\"How to add salt into a MD5?\">How to add salt into a MD5?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/infosecscout.com\/md5-salt-hash\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_an_MD5_salt\"><\/span>What is an MD5 salt?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>I already gave you the answer in the introduction, but I&#8217;ll give you an example in this part.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"A_database_without_MD5_salt\"><\/span>A database without MD5 salt<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Let&#8217;s say you want to store user passwords in a database.<br>As often, you may want to\u00a0use MD5 to store the password.<\/p>\n\n\n\n<p>Let&#8217;s take two users from your database, it will look like this:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>username<\/strong><\/th><th><strong>password<\/strong><\/th><\/tr><\/thead><tbody><tr><td>b.king<\/td><td>5f4dcc3b5aa765d61d8327deb882cf99<\/td><\/tr><tr><td>m.donald<\/td><td>ab4f63f9ac65152575886860dde480a1<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>This is what the table looks like when you use a MD5 function to store the password.<br>If you use the <a rel=\"noopener noreferrer\" href=\"https:\/\/www.md5online.org\/md5-decrypt.html\" target=\"_blank\">MD5 decryption tool<\/a> on MD5Online, you&#8217;ll find in a second what these passwords are.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Adding_salt\"><\/span>Adding salt<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you start using salt, you&#8217;ll need to concatenate a string to the use password.<br>To do this, you have two choices.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Use_a_static_salt_for_any_users\"><\/span>Use a static salt for any users<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>You can choose to\u00a0add a static salt like &#8220;randomstringforsalt&#8221; before any password.<br>So if the m.donald password is &#8220;azerty&#8221;, you&#8217;ll encrypt &#8220;randomstringforsaltazerty&#8221; instead.<\/p>\n\n\n\n<p>It&#8217;s a first step for more security.<br>It will be as if the m.donald password was strong, while it is the weakest in the world.<\/p>\n\n\n\n<p>And guess what?<br>At the time I write these lines, the corresponding MD5 is not in the MD5Online database \ud83d\ude42<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Use_a_dynamic_salt\"><\/span>Use a dynamic salt<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>If you always use the same salt, an attacker can find it, and then make his job easier.<br>If he knows that\u00a0he needs to add &#8220;randomstringforsalt&#8221; before each password, your salt is no longer useful.<\/p>\n\n\n\n<p>To avoid him to understand that, you may use dynamic salt.<br>For example, you can use the account creation date as salt: &#8220;azerty20190512&#8221;.<br>Or even better, a MD5 hash of the account creation date, like this: &#8220;azertyd003a3d8626f9a78abc9ce900b217819&#8221;.<\/p>\n\n\n\n<p>It&#8217;s a basic example, you have to\u00a0find a better salt, that looks like a random value but that you can find easily to generate password hash.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Database_with_salt\"><\/span>Database with salt<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The database with salt looks like the same as previously.<br>And that&#8217;s the strength of that strategy, the attacker will not now directly if you are using salt or not.<br>So, he will try without, and maybe never find your passwords.<\/p>\n\n\n\n<p>Here is an example with the same password and the static salt:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>username<\/strong><\/th><th><strong>password<\/strong><\/th><\/tr><\/thead><tbody><tr><td>b.king<\/td><td>81345f0d478885f72dd51c07cc3ab146<\/td><\/tr><tr><td>m.donald<\/td><td>244b7f46f6aa268fc862e73d81cfc832<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_do_you_need_to_use_salt_with_MD5\"><\/span>Why do you need to use salt with MD5?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_decrypt_a_MD5\"><\/span>How to decrypt a MD5?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The main weakness of the MD5 algorithm is its speed.<br>You can encrypt many words in a few amounts of time.<br>So, it&#8217;s possible to make many tries each second, to find the password behind an MD5 hash.<\/p>\n\n\n\n<p>To decrypt a password, a hacker will use two different methods:<\/p>\n\n\n\n<ul><li><strong>Brute force attacks<\/strong>: make the maximum tries each second until he finds the word<\/li><li><strong>Using a database<\/strong>: look up for the word in a database<\/li><\/ul>\n\n\n\n<p>If you want to learn more about this <a rel=\"noopener noreferrer\" href=\"https:\/\/infosecscout.com\/how-md5-decryption-works\/\" target=\"_blank\">MD5 decryption methods<\/a>, click on the link to check my other post on the subject.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_do_you_need_to_use_salt\"><\/span>Why do you need to use salt?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>With both methods, the password length is an issue for him to find the decrypted hash value.<\/p>\n\n\n\n<p>In brute force mode, the attacker will probably start with the most common passwords, and then start the alphabet list (a, b, &#8230; aa, ab, &#8230;).<br>I don&#8217;t have the current time needed for each password length, but the more characters you have the best it is. So if you add 32 characters with your salt, no matter the password size, you&#8217;re almost safe.<\/p>\n\n\n\n<p>And it&#8217;s the same problem by using an MD5 hash database.<br>If we don&#8217;t consider special characters, there are 62 possibilities for each password letter:<\/p>\n\n\n\n<ul><li>Alphabet lower case: 26<\/li><li>Alphabet upper case: 26<\/li><li>Digits: 10<\/li><\/ul>\n\n\n\n<p>So the number of total hash to generate and store increase fast:<\/p>\n\n\n\n<ul><li>3 characters password:&nbsp;140,608<\/li><li>4 characters password:&nbsp;7,311,616<\/li><li>5 characters password:&nbsp;380,204,032 possibilities<\/li><li>6 characters password:&nbsp;19,770,609,664 possibilities<\/li><li>etc &#8230;<\/li><\/ul>\n\n\n\n<p>This is an exponential function.<br>You could guess that a 6 characters password is two times safer than a 3 characters password.<br>But no, it adds a lot more possibilities for each additional character.<\/p>\n\n\n\n<p>You understand that <strong>with a password of 30 characters or more there is probably\u00a0no\u00a0database that will have the information, except for basic phrases<\/strong>.<br>That&#8217;s why using salt, or at least asking for long passwords is a good practice.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_add_salt_into_a_MD5\"><\/span>How to add salt into a MD5?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Now that\u00a0you are convinced that this is important, here&#8217;s how to do it.<br>In fact, it&#8217;s easy, you just\u00a0need to concatenate the two strings together.<\/p>\n\n\n\n<p><strong>In PHP for example, you need to use the point symbol to concatenate two strings:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php\n$salt = \"randomstringforsalt\";\n$password = $_POST['password'];\n\n$md5 = md5($salt.$password);\n?&gt;<\/pre>\n\n\n\n<p><span id=\"selectionBoundary_1549725323584_4423439215079805\" class=\"rangySelectionBoundary\" style=\"line-height: 0; display: none;\"><\/span>It&#8217;s that simple.<br>Don&#8217;t forget to use a long salt, or even better a dynamic salt.<br>If your salt is &#8220;1234&#8221; it&#8217;s like you didn&#8217;t use one (azerty or azerty1234 are two weak passwords).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>That&#8217;s it, you now know how to use MD5 salt in your code, and why it&#8217;s so important if you want to stay with an MD5 encryption method.<\/p>\n\n\n\n<p>But if you can, it&#8217;s probably the best option to choose another algorithm.<br>In PHP, you have the password_hash() function, or you can also use bcrypt or scrypt to get a safer password in your database.<\/p>\n\n\n\n<p>But it&#8217;s a good thing to have learned what is salt and how to use it, as you can use salt with any cryptographic algorithm.<span id=\"selectionBoundary_1549725632656_993281435758955\" class=\"rangySelectionBoundary\" style=\"line-height: 0; display: none;\"><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You probably already know that MD5 hashing is not a secure way to store passwords.If you know our services, you probably know that\u00a0we have a giant database with many words, that can be decrypted in a few seconds.By using salt, you could protect yourself a bit\u00a0more against this kind of database, but not so much&#8230;<\/p>\n","protected":false},"author":1,"featured_media":75,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2019\/02\/Vignette-MD5-3.png",292,133,false],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/42"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=42"}],"version-history":[{"count":10,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/42\/revisions"}],"predecessor-version":[{"id":243,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/42\/revisions\/243"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/75"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=42"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=42"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=42"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}