That is actually a good thing. If you are sent the password, you then hash it, and make certain that it is equal to the hash that is saved server side. Or, if you get the hashed value from the cookie, compare that to the serverside value. I do not know if this will help, but you can check it out: Digest::MD5 - Perl interface to the MD5 Algorithm Since you are quoting from Mods in Perl and C, Counterpane is a great crypto site that has MD5 source in C. It is Bruce Schneier's site. He is the author of Applied Cryptography, a brilliant text. In the first couple chapters they talk about protocols and signatures and such. Good reading.