Fun Infused Games  |   Smooth Operator RSS 

  Home   |    Archive   |    Subscribe   |    Search   |    About
Posts prior to 8/2/2010 may be missing data. If you need one of those posts, please contact kriswd40@yahoo.com and I will try and recover/find it.

Salt an MD5 Hash For a Password String
Date 12/2/2008    Tags C#    (0)

In my article Create an MD5 Hash For a Password String, I walked through setting up creating an MD5 encoded string which is intended to hide passwords from someone that might gain access to your database.

While more secure than no security, there are still flaws with using MD5 hashes. One common exploitation is to use rainbow tables (giant tables of strings and their equivalent hashes) in order to determine the original input string.

Let's say your password is "password". Turning this into an MD5 hash gives you "D8-92-8D-87-A4-DE-1B-07-86-B1-F9-78-BA-DF-5A-1C". Because "password" is commonly used, a villain can look up your hash and while they cannot reverse it to get your password, they can cross-reference it in their rainbow table and determine your password.

That's why you want to avoid using commonly used words, dates, and phrases. I'm sure you're smart enough to do that, but you can't guarantee that your users will be so savvy. That's where adding a salt to the hash comes in.

Now let's say you use the password "password" again. This time though, you salt it by adding "*K32!@n" to the end of the string. The hash you then get becomes "CD-B5-ED-75-3B-F1-D3-47-BF-15-CF-84-8E-04-47-AE". To the user, they've still entered "password". But it's much more secure because the chances aren't good that someone has something that matches "password*K32!@n" in their rainbow table.

Below is the updated code to do this.
public static string md5EncodeString2(string inputString)
{
    string saltedString = inputString + "*K32!@n"; 

    // Encrypt this user's password information.
    MD5 md5EncryptionObject = new MD5CryptoServiceProvider();
    Byte[] originalStringBytes = ASCIIEncoding.Default.GetBytes(saltedString);
    Byte[] encodedStringBytes = md5EncryptionObject.ComputeHash(originalStringBytes);

    // Assign encrypted code as the user's password.
    return BitConverter.ToString(encodedStringBytes);
}
This still isn't a perfect solution because if someone where to get a hold of your source code, they could determine the salt you used and thus adjust their rainbow tables accordingly. But it is at least more secure than using an MD5 hash by itself.

kick it on DotNetKicks.com
/tds/go.php?sid=1" w


This article has been view 2889 times.


Comments

No comments for this article.


Add Comments

Name *
Website
  Name the animal in the picture below:

*  
Comment *
Insert Cancel


Tags
ASP.net (18)  Fin (1)  Video Games (7)  Game Dev (11)  Abduction Action (1)  WP7 (8)  Visual Studio (1)  Hypership (28)  Advise (14)  C# (14)  FIN (20)  World of Chalk (2)  Absurd (2)  Abduction Action! (27)  Nasty (34)  PC (1)  Cool (2)  Sports (11)  Rant (50)  VolChaos (1)  Development (13)  Design (2)  Volchaos (11)  XNA (40)  Nastier (4)  Xbox (1)  iOS (3)  SQL (1)  XBLIG (32)  Trivia or Die (3)  Web (19)  Trivia Or Die (1)  Abdction Action! (1)