It’s really simple to generate a MD5 and SHA1 hash using PHP, it’s so simple that I even considered not posting this blog. But then I found myself Googling a website to generate a MD5 hash while I was at work. So I created a simple form for you to create your own MD5 and SHA1 hash.
To generate your MD5 and SHA-1 password hash, enter your text here:
What can I do make my passwords more secure?
One word: Salt. You want to salt all your hashes, and keep your salt private. A salt is equivalent to adding extra miscellaneous data to your user’s password. For example, according to Wikipedia:
Assume a user’s (encrypted) secret key is stolen and he is known to use one of 200,000 English words as his password. The system uses a 32-bit salt. The salted key is now the original password appended to this random 32-bit salt. Because of this salt, the attacker’s pre-calculated hashes are of no value. He must calculate the hash of each word with each of 232 (4,294,967,296) possible salts appended until a match is found. The total number of possible inputs can be obtained by multiplying the number of words in the dictionary with the number of possible salts:
2^(32) * 200 000 = 8.58993459 * 10^(14)
To complete a brute-force attack, the attacker must now compute about 800 trillion hashes, instead of only 200,000. Even though the password itself is known to be simple, the secret salt makes breaking the password radically more difficult.
So, how do I salt my password?
Easy, just append any string, either at the beginning or end of the user’s password. Just remember, the most important factor is to keep it secret, do not share it with anyone! Let’s assume the following is my PHP code
$salt = 'fenfnk4n2kt4$#%$%&l%URàEGMÜEWQTF4%©YRTesadssôd av frH^%Ewqefty75$%^&*()(765432'; $hash = md5($salt . $_POST['password']);
Now everytime a user submits there password you can append this password, at the front, end or even both. An added benefit to generating a hash using the above function call is when comparing this value to the one in your database, your value will be returned with raw_output set to false. This means that it will return a 32bit hexadecimal digits (ie: only the numbers 0-9 and the letters a-f) with no special sql characters trying to cause some damage via a nasty sql injection.
What is hashing?
To put it simple, hashing was created to be a one-way encryption. Of course there’s no such thing as secure in this day in age, especially with brute force crackers out there. Ideally, hashing is done so that there is no way to recover the password, a good example is like taking a digital hammer which smashes a string exactly the same way each and every single time. For example, if we were to take this digital hammer and try and create a MD5 hash for 123Password we would get d54b609242c7d758f6daca654bda1d26 every single time. If we were to add a space in the middle any other character for that matter it would "break" in a completely different pattern, for example 123 Password would create the following hash: ffeefad21f5f4a9f2b44992342d551ba. As you can see adding one space between 123 and Password created a completely different encryption key.
How to generate a MD5 and SHA1 hash in PHP:
1 2 3
$password = 'MySup3rSecretPassw0rd'; $md5Hash = md5($password); $sha1Hash = sha1($password);
How to generate a MD5 and SHA1 hash in MySQL
SELECT md5('MySup3rSecretPassw0rd'), sha1('MySup3rSecretPassw0rd') LIMIT 1;
How to generate a MD5 and SHA1 hash in binary using MSSQL. Remember, this is a binary output, not hex.
SELECT HashBytes('MD5', 'password'),HashBytes('SHA1', 'password') LIMIT 1;