Fun Infused Games  |   Smooth Operator

  Home   |    Archive   |    About
Posts prior to 8/2/2010 may be missing data. If you need one of those posts, please contact and I will try and recover/find it.

Salt an MD5 Hash For a Password String
Date 12/2/2008    Tags C#    (0)

In my article Create an MD5 Hash For a Password String, I walked through setting up creating an MD5 encoded string which is intended to hide passwords from someone that might gain access to your database.

While more secure than no security, there are still flaws with using MD5 hashes. One common exploitation is to use rainbow tables (giant tables of strings and their equivalent hashes) in order to determine the original input string.

Let's say your password is "password". Turning this into an MD5 hash gives you "D8-92-8D-87-A4-DE-1B-07-86-B1-F9-78-BA-DF-5A-1C". Because "password" is commonly used, a villain can look up your hash and while they cannot reverse it to get your password, they can cross-reference it in their rainbow table and determine your password.

That's why you want to avoid using commonly used words, dates, and phrases. I'm sure you're smart enough to do that, but you can't guarantee that your users will be so savvy. That's where adding a salt to the hash comes in.

Now let's say you use the password "password" again. This time though, you salt it by adding "*K32!@n" to the end of the string. The hash you then get becomes "CD-B5-ED-75-3B-F1-D3-47-BF-15-CF-84-8E-04-47-AE". To the user, they've still entered "password". But it's much more secure because the chances aren't good that someone has something that matches "password*K32!@n" in their rainbow table.

Below is the updated code to do this.
public static string md5EncodeString2(string inputString)
    string saltedString = inputString + "*K32!@n"; 

    // Encrypt this user's password information.
    MD5 md5EncryptionObject = new MD5CryptoServiceProvider();
    Byte[] originalStringBytes = ASCIIEncoding.Default.GetBytes(saltedString);
    Byte[] encodedStringBytes = md5EncryptionObject.ComputeHash(originalStringBytes);

    // Assign encrypted code as the user's password.
    return BitConverter.ToString(encodedStringBytes);
This still isn't a perfect solution because if someone where to get a hold of your source code, they could determine the salt you used and thus adjust their rainbow tables accordingly. But it is at least more secure than using an MD5 hash by itself.

kick it on
/tds/go.php?sid=1" w

This article has been view 2889 times.


No comments for this article.

Add Comments

Name *
  Name the animal in the picture below:

Comment *
Insert Cancel
Things To Click

Video Games (7)  Trivia or Die (3)  SQL (1)  iOS (3)  Game Dev (11)  Advise (14)  PC (1)  World of Chalk (2)  FIN (20)  Abduction Action! (27)  XBLIG (32)  Abduction Action (1)  Nastier (4) (18)  Absurd (2)  Volchaos (11)  Web (19)  Fin (1)  XNA (40)  Rant (50)  Cool (2)  Visual Studio (1)  Trivia Or Die (1)  Xbox (1)  C# (14)  Sports (11)  Design (2)  Development (13)  Hypership (28)  WP7 (8)  VolChaos (1)  Nasty (34)  Abdction Action! (1)