7

how can "decode" the password stored in various e-commerce adding "salt". I'm not crypth experts... so, in past, i used something like: 

SELECT * FROM mytable WHERE email=@email AND passwd=MD5(@pwd)

MySql MD5 function accept only one parameter... How can i do if i have a Salt string ? Thanks

stighy
  • 7,260
  • 25
  • 97
  • 157
  • possible duplicate of [What is the purpose of salt?](http://stackoverflow.com/questions/5051007/what-is-the-purpose-of-salt) – Greg Hewgill May 05 '11 at 20:32
  • I don't think it's possible, even if you have the salt. – Chris Schmitz May 05 '11 at 20:34
  • MD5 is not good for hashing passwords, and a salt just makes it barely better: [http://security.stackexchange.com/q/211/13877](http://security.stackexchange.com/q/211/13877) – Pablo Feb 10 '15 at 13:41

3 Answers3

9

You need to add a column in mytable called salt and then retrieve this value when creating the MD5 Hash:

SELECT * FROM mytable WHERE email=@email AND passwd=MD5(salt + ':' +@pwd)

When inserting the record you would do:

INSERT INTO mytable(email, salt, passwd)
VALUES (@email, @salt, MD5(salt + ':' + @pwd)
Alan Savage
  • 822
  • 1
  • 12
  • 24
4

Salt is a string you add to the beginning of text which should be encrypted.

Do it like: SELECT * FROM mytable WHERE email=@email AND passwd=MD5(CONCAT(@salt, @pwd))

Dr McKay
  • 2,548
  • 2
  • 21
  • 26
  • Usually in my applications I assume that salt is constant. Of course you can keep it in a table. – Dr McKay May 06 '11 at 12:42
  • 1
    If the salt is constant then this will eliminate the purpose of salt. If I use the password: secret on my website and somehow I was able to gain access to your database. I could easily see which other users also have chosen the same password: secret; since the MD5 hash would be identical. – Alan Savage May 07 '11 at 19:25
  • True, but what's the possibility of this kind of event? Assume situation: attacker compromises database and gets tons of MD5, salt remains secret. If salt is long enough, he won't be able to decode all of them in a reasonable time. But when there's a per-user salt, if user's password is short enough, he'll be able to crack it. Please note, that I'm not a cryptography expert and I will be thankful to you for correcting me if I'm wrong. – Dr McKay May 07 '11 at 22:52
2

That logic should be in the application, then you'll simply compare the calculated value against what's stored in the database.

(If not in the application, you could use functions in MySQL, but I wouldn't recommend that approach. I like to keep all application logic in one place if possible, not spread in different parts.)

If you run functions like that in the WHERE clauses of your query, MySQL will be unable to use an index on passwd because it has to calculate something for every value in the passwd column. Instead, do your salting and hashing in your application, then compare that final string against your stored info in a plain query that can use an index, like this

SELECT * FROM mytable WHERE email=@email AND passwd=@pwdhash
Wiseguy
  • 20,522
  • 8
  • 65
  • 81
  • 1
    Why the one downvote? If I'm wrong about something, please point it out. I'm here to learn, too. :-) – Wiseguy May 05 '11 at 21:39