They say you should never store or transmit passwords in plain text. Instead, encrypt them first, preferably “one-way” so that you can only compare the encrypted signatures and can’t actually retrieve the original passwords. MD5 produces a one-way signature. But what if the original password is some well-known word or phrase? For example, the MD5 of “password” is 5F4DCC3B5AA765D61D8327DEB882CF99, so if you find that code stored in a password file then you know the original password was “password”. A dictionary of MD5 signatures will easily break any MD5-based password store unless you take the precaution of adding a few extras to the password before you hash it. Add some secret constants to the beginning, middle and/or end. Add other bits of the user’s credentials, such as the user name or other stored information. Then generate the MD5 signature for storage/transmission. It’s a simple precaution that will stop them throwing the book at you.
Categorised as: Uncategorized