security – Md5 salt password php-ThrowExceptions

Exception or error:

I know that there are alots of questions about this subject but i really need to ask this.

Today I’ve been working on encrypting passwords with md5.

So what I’ve done is.

I got 4 salts. (they changes depending on user values)

  1. from email id and substr then md5 them
  2. from email and id substr other positions
  3. a long string, substr it and then md5 it
  4. another long string, substr it and then md5 it

Then i md5 salt1 and 3 and the password with salt 2 and salt4

After this I have to change the password automatically whenever a user changes his email or his id getting changed.

What do you guys think about this?

How to solve:


MD5 is broken and bad.

Using the mailaddress as salt is a good idea. But using md5 is not. Use instead bcrypt, scrypt or pbkdf2.

Don’t invent your own ecryption, unless you really know what you are doing, and trust me, you don’t


First, let us define a few terms.

  • Encryption is when you encode a message so that it cannot be read. Encryption involves a plaintext, a cipher and a key. It is like putting a book (the plaintext) in a locked room (cipher), which can only be opened using a known tool (a key). There are many kinds of encryption, but that is a simple description. Encryption is two-way, meaning that you can encode and decode the message.

  • Cryptographic hash is when you take any kind of data and generate a fixed size value for it (usually called a hash or a digest). Cryptographic hashes are one-way, which means that you cannot reverse the process.

  • A salt is a unique string, or a collection of bits, similar to a nonce (a unique number that is only used once). Salts are only used to make it infeasible for a cracker to process a list of hashes. They are not supposed to be used as a secret (i.e. like a cryptographic key). The only reason people usually talk about randomness when it comes to salts is because they want to generate a unique salt (if the randomness is not great enough they may get colliding salts, for instance).

Okay, now to how you should hash a password.

A relatively safe way of hashing a password is to simply tack on a unique hash onto a password, and then save the salt with the password:

$pass = 'this is my password';
$salt = uniqid('', true);
$hash = sha1($pass . $salt);
// INSERT INTO users ('hash', 'salt') VALUES ('$hash', '$salt') WHERE ...

That is an okay way of doing it if your website does not retrieve any sensitive data from its users.

If you deal with sensitive data, or if you just want to make sure that you are doing everything you can to keep stuff safe, then there is a PHP function that does the hashing for you. It is called crypt() (read the documentation to learn how it works). Here is an example of how to hash a password using the function:

$pass = 'this is my password';
$salt = 'unique string';
$hash = crypt($password, '$2y$07$'.$salt.'$');
echo $hash;

That will securely hash a password.

The thing to realize is that the crypt() function is much more secure than anything you can come up with (unless you are a specialist in the area).

In newer versions of PHP (5.5.0+) there is a password hashing API that makes it even simpler to hash a password.

There are also various hashing libraries out there. PHPass is a popular one.


It is bad, because it uses MD5.

MD5 is a very fast operation. It can be executed billion of times per second on graphic cards hardware. It is considered bad practice to use it for any password related things.

Use bcrypt. Use a random salt. Use the upcoming PHP API for hashing, verifying and rehashing passwords. This include file implements it for versions starting with PHP 5.3.7:


Well, “MD5 is broken and bad” is a little exagerated. Even if it can be brute-forced with a lot of CPU, it is not “broken” and is still a very useful algorithm for a lot of things involving hashing.

So “MD5 should not be used for password encryption” sounds much better to me.

When using PHP, an easy and safe option is to rely on the password_hash() and password_verify() function.

The advantage is that the encryption algorithm can potentially be updated with each PHP version (at the moment PASSWORD_DEFAULT is set to bcrypt, but should bcrypt be “broken” it can be set to a newer algorithm), which makes any code using those functions quite resilient.


I personally do not recommend involving of the user id and his email into the hashing of his password.
You can deal with the password by:

  • Dynamic salt per user based on random string generated on user registration
  • Prepend one part of the salt and append the other around the password
  • Double md5: md5(md5($password))
  • Etc.


a simple way would be to generate a random salt for each user and hash your password like this

public function encodePassword( $raw, $salt ) {
    return hash('sha256', $salt.$raw);

For high security hash, you can check this link which explain how to implement PBKDF2:

Leave a Reply

Your email address will not be published. Required fields are marked *