How to Use Salted MD5 Hash for securing Login passwords.

MD5 (Message-Digest algorithm 5) is a most popular Cryptographic Hash Function which is 128 bit encryption algorithm . This is way One-Way Encryption. However Crackers may use possible techniques like Brute Force (easiest, but success low, brute force attack simply tries all possible combinations, until it finds the correct solution) , Collision Checking (harder to implement) ( Collision checking is the attempt to find two different inputs to the md5 algorithm which create the same generated hash). The following tutorial explains about how to use Salted MD5 Hash for securing login passwords.

As MD5 hash generates the same encrypted value for the same password everytime, it is better to send the Salted MD5 hash value of the password. That means instead of sending MD5 hash of the password , send the MD5_Hash (MD5_Hash(user password) + salt) . As the MD5 hash value of password is added with salt then MD5 hash is generated , every time new encrypted value is sent . So it is hard to crack or takes more time to crack.
Now Let us see how to use Salted MD5 hash in your application especially for login screen. The following steps and code will guide you.


I) In the Login Page JSP:

     1) Calculate MD5 of the user Input Password — > A

     2) Add Randam values (Salt) to A — > B

     3) Again Calculate MD5 hash of B — > C

Now C is sent to server

Note : salt is calculated using the server side script in the JSP and stored in session. Code is as follows

 // Characters allowed for the salt string
 String SALTCHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
 StringBuffer salt = new StringBuffer();
 java.util.Random rnd = new java.util.Random();
 // build a random 9 chars salt 
 while (salt.length() < 9)
   int index = (int) (rnd.nextFloat() * SALTCHARS.length());
   salt.append(SALTCHARS.substring(index, index+1));
 String saltStr=salt.toString();
 session.setAttribute("ran",saltStr); // Salt String is stored in session so that  we can retrieve in the serverside which is used to add with encrypted(MD5) passwo rd retrieved from the database 
% >
 <html:hidden property="ran" value=" <%=saltStr% >"/ > // the salt string is stored in the hidden field ran

Java Script Code :

   var password=document.loginForm.password1.value; 
   var ran=document.loginForm.ran.value; 
   var hash=hex_md5(pass);   // MD5 Hash of user input password  
   var saltedhash=hex_md5(hash+ran);  // Added with salt and the MD5 hash
   document.loginForm.password.value=saltedhash;  // sent to the server 

ran is a hidden field in the JSP whch contains the Salt Value.

II) In the serverside:

Retrive the actual password from server database by using login id. ( Server Database will have the MD5 hash value of the original Password as encripted password).

Now find MD5 hash ( Database encrypted Password + salt ) — > D. Now compare C with D . If both are equal means , then the user is authenticated.

Sample Code for the above steps.

Server Side Code (Partly):

String uesrid = loginForm.getLogin().trim();
 String passwd = loginForm.getPassword().trim();  // Encrypted Password from the user. (MD5 hash of MD5 hash password + salt)
HttpSession session1 = request.getSession(false);
String ran = (String) session1.getAttribute("ran");
       conn = Connection to the database.
   strQuery = "select password from user_login where UNAME=? "; // query for getting the encrypted passord from the table user_login
   prestmt = conn.prepareStatement(strQuery);
   prestmt.setString(1, uesrid);
   r_set = pstmt.executeQuery();
   if ( {
     pwd = r_set.getString("password");  // md5 hash value of the actual password 
     pwd = pwd.trim();
     DBPassword = getHash(pwd+ran); 

     if (DBPassword.equals(passwd))  {   success=true;  }

// Function for getting MD5 hash Value.
public static String getHash(String pass) {
     byte buf[] = pass.getBytes();
     String hexStr = "";
   try {
      MessageDigest algorithm = MessageDigest.getInstance("MD5");
        byte[] digest = algorithm.digest();
       // get the hex string 
     for (int i = 0; i  &lt; digest.length; i++) {
       hexStr += Integer.toString((digest[i] &amp; 0xff) + 0x100, 16).substring(1);
     } catch (Exception ex) {
        return "";
    return hexStr.toString();

Note : Please download md5.js and include in the login page jsp . You can also use sha1.js (Secured hash algorithm). function name will be hex_sha1 . The above sample code is based on struts framework.


Leave a Reply

Visit Us On TwitterVisit Us On FacebookCheck Our Feed