How to Use Salted MD5 Hash for securing Login passwords.

MD5 (Message-Digest algorithm 5) is a most popular Cryptographic Hash Function which is 128 bit encryption algorithm . This is way One-Way Encryption. However Crackers may use possible techniques like Brute Force (easiest, but success low, brute force attack simply tries all possible combinations, until it finds the correct solution) , Collision Checking (harder to implement) ( Collision checking is the attempt to find two different inputs to the md5 algorithm which create the same generated hash). The following tutorial explains about how to use Salted MD5 Hash for securing login passwords.

As MD5 hash generates the same encrypted value for the same password everytime, it is better to send the Salted MD5 hash value of the password. That means instead of sending MD5 hash of the password , send the MD5_Hash (MD5_Hash(user password) + salt) . As the MD5 hash value of password is added with salt then MD5 hash is generated , every time new encrypted value is sent . So it is hard to crack or takes more time to crack.
Now Let us see how to use Salted MD5 hash in your application especially for login screen. The following steps and code will guide you.


I) In the Login Page JSP:

     1) Calculate MD5 of the user Input Password — > A

     2) Add Randam values (Salt) to A — > B

     3) Again Calculate MD5 hash of B — > C

Now C is sent to server

Note : salt is calculated using the server side script in the JSP and stored in session. Code is as follows

Java Script Code :

ran is a hidden field in the JSP whch contains the Salt Value.

II) In the serverside:

Retrive the actual password from server database by using login id. ( Server Database will have the MD5 hash value of the original Password as encripted password).

Now find MD5 hash ( Database encrypted Password + salt ) — > D. Now compare C with D . If both are equal means , then the user is authenticated.

Sample Code for the above steps.

Server Side Code (Partly):

Note : Please download md5.js and include in the login page jsp . You can also use sha1.js (Secured hash algorithm). function name will be hex_sha1 . The above sample code is based on struts framework.

You may also like

Leave a Reply