The only comment I would like to make is that if someone gains access to the database in which you are also storing the salt they should be able to easily recalculate their own hash database using the salt you have now given them.

It’s true they would have to recalculate for every user because the hash is different but what if they only need to gain access to one account?

My own method for storing the salt would be to place it outside the webroot as a variable your script will read during the runtime. This way the attacker will not know the needed salt to recalculate the hash.

Making a more complicated model you could create a random salt for each user and store it outside the webroot on a one file per user basis.

Dynamic includes are a beautiful thing.

You can see my post about the subject at:
http://juanjose.blackfalconsolutions.com/2007/09/13/md5-hashing-and-salt/

I just read a great post by Marcel Oelke who runs http://md5.rednoize.com/. He’s got a great way to access his webservice and check to see if a users password is insecure, even if you are using MD5 before storing the password. I know many people …

$url = “http://md5.rednoize.com/?p&q=” .$_GET['string'];
$feedback = file_get_contents($url);
echo $feedback;

I really like your md5() password checker. I also like the AJAX implementation to check the passwords. I was trying to implement it on my site when i read your statement about the proxy script. Since i was confinced that there should be an easier way to use your “webservice”, I used a very simple PHP implementation. Instead of using a direct XML-request to your server, I made a local file called (for instance) check.php. This file accepts a GET-variable containing the MD5-hash and use that to query your site:

The rest of your javascript remains exactly the same, only the function should be called using:

javascript:xmlhttpPost(‘check.php?string=’)

Thanks a million for sharing this with us!