-3

I'm coding a CMS, but does this work?

MD5(MD5(username+password)+salt+rsalt);

The rsalt stands for Randomized salt but how can i randomize a salt anyway?

Amal Murali
  • 75,622
  • 18
  • 128
  • 150
user3065852
  • 1
  • 3
    Use a [secure hash](http://stackoverflow.com/a/5235195/1557526) method instead of fiddling with `md5`! – kero Dec 04 '13 at 12:53
  • 1
    If you do not know how to store passwords, you should not be "coding a CMS". – tereško Dec 04 '13 at 13:08
  • agreed with @kingkero -- MD5 is broken. Don't use it for passwords under any circumstances, not even with multiple hashes and salts. Use bcrypt instead. – Spudley Dec 04 '13 at 13:08

1 Answers1

3
  1. You can randomize the salt if you are storing said salt in the user's table. Otherwise, how will you be able to tell if the hash is correct?
  2. MD5 is not a secure hash function. You should use something like password_hash if you have PHP >= 5.5 or the password_compat library by ircmaxell if you're using an earlier version.
Community
  • 1
  • 1
Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66