Reputation: 1
changing from md5 to sha1,salting
my algorithm looks like this:
$new_password = sha1($salt . $password . $email);
it works good, but Im trying to change to sha1 since ive heard its better but it wont work. Why is that?
register:
//generate a strong unique salt
$salt = uniqid(mt_rand());
$new_password = sha1($salt . $password . $email);
and then i rehash it when i log in
Upvotes: 0
Views: 427
Answers (3)
Reputation: 16977
You want a constant string for your salt, eg
$salt = "iodized sea salt"
EDIT: The commenters and downvoters here seem not to understand the concept of a salt. Using a constant salt certainly would not defeat the purpose of the salt, which is to make your choice of hashing algorithm ("SHA1 with such-and-such a salt") private. This salt can be long and its choice has more entropy than, say, uniqid(mt_rand()). You can't brute force a long salt any time this side of never. A per-user salt might make you feel better if you're not clear on computer security, but doesn't provide any other benefit.
Upvotes: -1
Reputation: 46780
Yes, sha1 is a better hash than md5. Much of the time tho, md5 is good enough... Really, how "insecure" your site is is determined much more by other factors.
Upvotes: 0
Reputation: 321698
Are you storing the salt with the hashed password? You need to use the same salt when checking the hash - each user should have their email address, salt and hash stored.
Upvotes: 3
Related Questions
- Most efficient way to change the hash type of a password (md5 to sha1)
- sha1() for Password hashing
- Switching from md5 to password_hash
- How to use salt with md5 technique
- PHP - MD5, SHA, Hashing security
- MD5, password hashing and salt position
- Going from unsalted to salted MD5 passwords
- Help with SHA1 or MD5 in PHP
- Changing from md5 to sha256
- php security: Using MD5, SHA1, Salting