Salting Passwords with One way Hash Function

The most common practice for any website or application to check for authentic users is to assign secret keys or passwords to get access to their accounts. Now one way to store these passwords is to directly store them into database. That would be a huge security hole in any server’s database since anyone who can get access to that database can hack into anyone’s account using that password.

A good solution for this loop hole was to provide some kind of encryption. Change the clear text password into such unrecognizable form that it is not possible to determine what the actual password was. Many hashing functions are used to accomplish this task. What they do is they take the password entered by the user and convert it into some unrecognizable form using a one way hashing function(for example MD5). The advantage of using this cryptographic technique is that once you have encoded the password it can’t be decoded back to its original form. So there is no way a hacker would be able to decode the password.

This solution seems quite elegant but wait.. now again a new problem arises. Any site with probably hundreds and thousands of uses will have users with same passwords, right? So there is still a big security threat when such same password user can get access to anyone’s email or username then they can compromise someone’s account. Enter “salting”. Salting a password means you concatenate a random string with the user’s password and THEN encrypt it using a hash function. This way each user will have unique password even if their original password is same!

Let me give a simple illustration. Say there are two users with the password “mypasscode” on a site called Now uses their email ids as usernames. So if user A (let’s call him Anon) can get his hands on the email address of user B (call him Bnon) then he will be able to access Bnon’s account without his permission. If were to use salting, they will not only encode both the user’s passwords but also use salting technique while saving their passwords. So they will take the password “mypasscode” concatenate it with both their names, “mypasscode:anon”, “mypasscode:bnon” and then encrypt then and store in the database. This way each use gets a unique password no matter what! Here is a small sample code in PHP to implement our little example. When user registers on any site we can use this simple lines to add salting:

     //get data from the registration form and store in variables
     $user = "anon";
     $pwd = "mypasscode"; //contains the password selected by the new user
     echo $pwd.":".$user;
     $hashpwd = md5 ($pwd.":".$user);
     echo "<br />".$hashpwd;
     //Store $hashpwd in database with the user.

There is no restriction as to what to use as the concatenating string with the passwords. It can be the users’ email addresses, or names as we used in the example or it could be any other random string they wish to use for hashing. But the end result is a very secure user table in your database. Most modern websites use this technique to store passwords. That’s the reason they don’t know your password when you forget it. You just have to reset it yourself they will not send your original password as they don’t know it! If any site sends you your password back then it’s a clear sign that they store your password without proper security measures. So beware of such sites.

Happy Coding 🙂