Are all md5 hashes the same?

Question

If I create an md5 hash for a string on one cpmputer using a bash script, will that same string create the same md5 hash if I were to cerate an md5 hash via a php script on another computer? I'm trying to write a script on one computer and port it to another. That script will create an md5 hash for a user password. Then, a seperate web page will ask for a username and password. As I do not want to store the raw password I'd like to store the hash, have the php script compute the hash for the password that the user enters, and grant access if they match up. Should this theoretically work, or are there issues that I need to consider?

Answer 1

Yes, provided you hash the same sequence of bytes on each platform. Consider this, for example:

$ echo 'P4$$w0rd' | md5
9bb60af76b036e37a6d2626868c8c101
$ printf 'P4$$w0rd' | md5
640e5a3b9f9e4d667456c4e68194d6a2

Why are the hashes different? Because echo put a newline (ascii LF character) at the end of the string, while printf didn't. You need to make sure that all platforms are encoding the password the same way (i.e. ISO-8859-1 vs. UTF-8 vs. UTF-16 vs. UTF-8 with BOM...), and if anything's added (like the newline) it should be consistent (e.g. Windows tends to use CRLF at the end of lines, instead of just LF...).

Also, as @Mitch Wheat mentioned, for password storage you really should salt the hash (i.e. hash some random data together with the password, then store the random data and the hash). Something stronger than MD5 would be good as well, but that's not nearly as important. Here's a completely quick-and-dirty implementation:

# generate the hash:
read -s -p "Enter a password:" password
echo
salt="$RANDOM"  # Really should use something more random here...
hashedpw="$salt,$(printf "%s|%s" "$salt" "$password" | md5)"

echo "The salted hash is $hashedpw"

# check the hash:
read -s -p "Try to reenter the password:" testpassword
echo
salt="${hashedpw%%,*}"
hashonly="${hashedpw#*,}"
if [ "$hashonly" = "$(printf "%s|%s" "$salt" "$testpassword" | md5)" ]; then
    echo "That was the same password"
else
    echo "That was not the same password"
fi

EDIT: here's a better way of generating a random salt, although it's probably not as portable:

salt="$(dd if=/dev/random bs=16 count=1 2>/dev/null | od -x | sed 's/^[0-9]*//' | tr -d $' \t\n')"

If you want even more randomness, just increase the bs=16 parameter; that controls the number of bytes of random data that's used.

Answer 2

Yes, in theory that should work. MD5 is a hashing algorithm, so as long as it's using MD5 for both ends, it should work no problem.

There are other, more secure hashing algorithms you might want to consider, like SHA for example. And, as the comments above suggest, you should always salt your hashes to add an extra layer of security...

Answer 3

Yes, MD5 checksums are platform agnostic and will produce the same value every time on the same file/string/whatever.

However, you may want to reconsider your scheme. At least salt your hashes. There is tons of advice for username/password storage schemes on StackOverflow.