Javascript MD5 Authorization

TL;DR

This guide shows you how to implement basic authorization using MD5 hashing in Javascript. It’s important to understand that MD5 is considered cryptographically broken and should not be used for sensitive data or new systems. This example is for educational purposes only, demonstrating the concept of hashing passwords before comparison.

Steps

1. Choose an MD5 Library: Javascript doesn’t have a built-in MD5 function. You’ll need to use a library. A popular choice is md5.js. Include it in your HTML file.

   <script src="md5.min.js"></script></head>>

2. Store Passwords Securely (Important!): Never store passwords in plain text. Instead, store the MD5 hash of the password.

   When a user registers:

   • Get the user’s password.
   • Hash the password using MD5.
   • Store the hash in your database (along with other user details).
3. Hashing Passwords: Use the library to generate the MD5 hash.

   const password = 'mySecretPassword';
   const hashedPassword = md5(password);
   console.log(hashedPassword); // Output will be a 32-character hexadecimal string

4. Authentication Process: When a user logs in:
   • Get the user’s entered password.
   • Hash the entered password using MD5 (using the same library).
   • Retrieve the stored hash from your database for that username.
   • Compare the two hashes. If they match, authentication is successful.
5. Example Authentication Code:

   function authenticate(username, password) {
     // Retrieve stored hash from database (replace with your actual code)
     const storedHash = getStoredHashForUsername(username);
   
     if (!storedHash) {
       return false; // User not found
     }
   
     const hashedPassword = md5(password);
   
     return hashedPassword === storedHash;
   }
   

6. Salting (Highly Recommended): MD5 is vulnerable to rainbow table attacks. To mitigate this, use salting.
   • Generate a unique random salt for each user.
   • Concatenate the password and salt before hashing: md5(salt + password)
   • Store both the hash *and* the salt in your database.
   • During authentication, retrieve the salt from the database, concatenate it with the entered password, hash it, and compare to the stored hash.
7. Important Security Note: MD5 is outdated. For modern applications, use stronger hashing algorithms like bcrypt or Argon2.

Code Example with Salting

function generateSalt() {
  return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
}

function hashPasswordWithSalt(password, salt) {
  return md5(salt + password);
}

// Registration:
const newUserSalt = generateSalt();
const hashedPasswordWithSalt = hashPasswordWithSalt('mySecretPassword', newUserSalt);
// Store newUserSalt and hashedPasswordWithSalt in the database.

// Authentication:
function authenticateWithSalt(username, password) {
  const storedSalt = getStoredSaltForUsername(username);
  const storedHash = getStoredHashForUsername(username);

  if (!storedSalt || !storedHash) {
    return false;
  }

  const hashedPasswordWithSalt = hashPasswordWithSalt(password, storedSalt);
  return hashedPasswordWithSalt === storedHash;
}