I originally wrote this in a discussion over at the West Wind forums. I’m reposting it here for informational purposes.
MD5 can easily be reversed using a lookup of ‘known’ hashes. So if user ‘Bob’ made a choose a password of ‘abc’ and we encrypted it on the client then sent it to the server we could store it in the databases as a hash instead of plain text. Hashing something without a salt would lead to a problem when the table got stolen or a man in the middle attack occurred. The bad guy could then take the hash and look it up in the reverse table then would have Bob’s password in plain text. Salt is when you combine Bob’s password with something else. For example, create a hash of his last name, DOB, and UserId…append it to the end of the password hash his browser sent and hash them together to compare with the hashed password.
Hmm…that didn’t make a lot of sense to me…I need more Code Red. I’ll try this way:
Bob signs up for your site with user name ‘Bob’ and password ‘1234’
Password in plain text: 1234
Password hash (1234, easily reversed): 81dc9bdb52d04dc20036dbd8313ed055
Password hash with salt (1234+Bob, not as easily reversed): 27d5c234335b9762416808e2ace80842
Password hash with salt + GUID: (1234+Bob+791ae620-e2f5-11db-8314-0800200c9a66, very hard to reverse): 34e25923be3cad2bb140c8c508f59e16
Store the hash of 1234 in your table, then when it is time to compare, make sure you concatenate consistently to get the right result.
I found an MD5 program by Gilles Patrick that works really well off of the VFP Wiki. It produces results that agree with the client side JS MD5 program I linked to above.
Hashing a single word is not nearly as secure as hashing that word plus some random (but consistent) text. More and more people use the same password for their email, system, start page, etc and I think my users appreciate it when I tell them up front that I don’t know their password. Recovering a users password can be a little tricky in that they have to create a new one instead of you telling them what it is, but security questions and using the email address on file works out good for recovery.
I’m no expert on this stuff, but here are some people that are.