Salt an MD5 Hash For a Password String
In my article Create an MD5 Hash For a Password String, I walked through setting up creating an MD5 encoded string which is intended to hide passwords from someone that might gain access to your database.
While more secure than no security, there are still flaws with using MD5 hashes. One common exploitation is to use rainbow tables (giant tables of strings and their equivalent hashes) in order to determine the original input string.
Let's say your password is "password". Turning this into an MD5 hash gives you "D8-92-8D-87-A4-DE-1B-07-86-B1-F9-78-BA-DF-5A-1C". Because "password" is commonly used, a villain can look up your hash and while they cannot reverse it to get your password, they can cross-reference it in their rainbow table and determine your password.
That's why you want to avoid using commonly used words, dates, and phrases. I'm sure you're smart enough to do that, but you can't guarantee that your users will be so savvy. That's where adding a salt to the hash comes in.
Now let's say you use the password "password" again. This time though, you salt it by adding "*K32!@n" to the end of the string. The hash you then get becomes "CD-B5-ED-75-3B-F1-D3-47-BF-15-CF-84-8E-04-47-AE". To the user, they've still entered "password". But it's much more secure because the chances aren't good that someone has something that matches "password*K32!@n" in their rainbow table.
Below is the updated code to do this.
public static string md5EncodeString2(string inputString)
string saltedString = inputString + "*K32!@n";
// Encrypt this user's password information.
MD5 md5EncryptionObject = new MD5CryptoServiceProvider();
Byte originalStringBytes = ASCIIEncoding.Default.GetBytes(saltedString);
Byte encodedStringBytes = md5EncryptionObject.ComputeHash(originalStringBytes);
// Assign encrypted code as the user's password.
This still isn't a perfect solution because if someone where to get a hold of your source code, they could determine the salt you used and thus adjust their rainbow tables accordingly. But it is at least more secure than using an MD5 hash by itself.
This article has been view 2889 times.