5 Replies - 428 Views - Last Post: 29 January 2014 - 04:46 AM Rate Topic: -----

#1 Hulu  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 51
  • Joined: 17-July 13

MD5 and Salt Username and Password

Posted 28 January 2014 - 10:50 PM

I am trying to use md5 and salt the password so for example the account name and stackoverflow md5 and salted looks like

O ظ;~\ when it is done correctly, but I am getting what looks to be just the md5, its like its not salting the account name and password. So when I do the md5 hash of the account name and jade it looks like 0xea606b4cae6ae9a68a5da45d57c3309d but what I'm really looking for is `kLj馊]]W0

Here is a snippet of the code I am using for an example.

 $new = isset($_POST['new']) ? $_POST['new'] : '';
    $old = isset($_POST['old']) ? $_POST['old'] : '';
    $con = isset($_POST['con']) ? $_POST['con'] : '';
    $this->view->usr = mysql_real_escape_string(StrToLower(Trim($this->view->usr)));
    $new = mysql_real_escape_string(StrToLower(Trim($new)));

    $Salt = $this->view->name.$new;
    $Salt = md5($Salt);
    $Salt = "0x".$Salt; //Salts the password in md5.

    //$this->view->salt = $this->view->name.$new;
    //$this->view->salt = md5($this->view->salt);
    //$this->view->salt = "0x".$this->view->salt; //Salts the password in md5.
    $this->view->msg = "";
    $this->view->err = false;

    if($old != $this->view->pss){
        $this->view->msg = "Old Password is Incorrect";
    }elseif($new == ""){
        $this->view->msg = "New Password is Empty";
    }elseif($con != $new){
        $this->view->msg = "Please Confirm Password Correctly";
    }else{
        $arr = array(":idnumber" => $new, ":passwd" => $Salt);
        $this->database->DBSet($arr,'users',$whr = 'WHERE ID = '.$this->view->usr);
        $this->view->msg = "Password is Successfully Changed";
        $this->view->err = true;
    }


I do have a script that works and returns what i am looking for, but it uses the following procedure from the database so I have to do call changepasswd('$Login', $Salt).

BEGIN
 START TRANSACTION;
  UPDATE users SET passwd = passwd1 WHERE name = name1;
 COMMIT;
END


I did notice that $Salt is outside of 'single quotes', is there a way to do that with the following snippet?

$arr = array(":idnumber" => $new, ":passwd" => $Salt);

I thought I would beable to do the same thing with this PDO Update function

// Update
    function DBSet($arr,$tbl,$whr = ''){
        $stmt = array();
        foreach($arr as $fld => $val){
            $stmt[] =  str_replace(":","",$fld)." = ".$fld;
        }
        $stm =  implode(",",$stmt);
        $sql =  self::UPDATE.$tbl." SET ".$stm.' '.$whr;
        $sth =  $this->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
        $sth->execute($arr);
    }


Is This A Good Question/Topic? 0
  • +

Replies To: MD5 and Salt Username and Password

#2 Ntwiles  Icon User is offline

  • D.I.C Addict

Reputation: 148
  • View blog
  • Posts: 825
  • Joined: 26-May 10

Re: MD5 and Salt Username and Password

Posted 28 January 2014 - 11:13 PM

$Salt = $this->view->name.$new;
$Salt = md5($Salt);
$Salt = "0x".$Salt; //Salts the password in md5.



You're concatenating $this->view->name (Your 'salt', but what is that value exactly? It doesn't look like it would be very unique), with your password, and THEN applying an MD5 hash to it. Then you add '0x' to the beginning of the salted and hashed string. If no further alterations are done, you should expect an MD5 hash (32 characters) with an '0x' in front.

Why are expecting a value of OÜ ª€ÉظÖÙõà;~\?

For what you're doing, a more descriptive script would be:

$password = $new;                    //Just for comprehension 
$salt = $this->view->name;           //Same
$salted_hash = md5($salt.$password); //MD5 of salt+password
$salted_hash = "0x".$salted_hash;    //Not sure what this line is

This post has been edited by Ntwiles: 28 January 2014 - 11:25 PM

Was This Post Helpful? 0
  • +
  • -

#3 Hulu  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 51
  • Joined: 17-July 13

Re: MD5 and Salt Username and Password

Posted 28 January 2014 - 11:30 PM

$this->view->name is the account name they are logged in as. O ظ;~\ is how the game I host reads the password. But I am able to change the pass with the call changepasswd
Was This Post Helpful? 0
  • +
  • -

#4 Ntwiles  Icon User is offline

  • D.I.C Addict

Reputation: 148
  • View blog
  • Posts: 825
  • Joined: 26-May 10

Re: MD5 and Salt Username and Password

Posted 28 January 2014 - 11:35 PM

The game you host? Can you be more specific? When you say 'how it reads' do you mean that passwords are stored in the database already in that form?

That OÜ ª€ÉظÖÙõà;~\ is not the result of an MD5 hash (unless it's further manipulated somehow). Trying to reverse engineer the algorithm used to hash it could be very difficult if you don't already know what it is.

This post has been edited by Ntwiles: 28 January 2014 - 11:37 PM

Was This Post Helpful? 0
  • +
  • -

#5 Hulu  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 51
  • Joined: 17-July 13

Re: MD5 and Salt Username and Password

Posted 28 January 2014 - 11:45 PM

Yes the passwords are stored that way, I posted the procedure which is the Call changepasswd()
Was This Post Helpful? 0
  • +
  • -

#6 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6039
  • View blog
  • Posts: 23,437
  • Joined: 23-August 08

Re: MD5 and Salt Username and Password

Posted 29 January 2014 - 04:46 AM

STAAHHHHHHPPPPPPP!!!!

Read this and use it to do password security properly.
Was This Post Helpful? 2
  • +
  • -

Page 1 of 1