is using sha1() with a salt secure?

Question

I understand that sha1() is not secured, but my client's website uses something like this to hash passwords:

$salt = '123abckkk';
$hash = sha1($salt.$password);

Now I'm guessing that if someone breaks into the database and steals the hashes, then they won't be able to crack them because none of the hashes would have come from common words, because they have that '123abckkk' mixed up in it.

Not sure if this is how it works, but if this is not a secure method then please tell me why.

Answer 1

1. You should not use md5 or sha1 to hash passwords, instead use password_hash.

   • Hashing passwords isn't for your security. It's for your user's security. We're assuming an attacker has a dump of your database and has a long time to reverse the hash into passwords. The longer the hashing function takes, the longer it takes for the attacker to crack these passwords. The time delaying them can be used to warn your users and tell them to change their passwords on different networks.
     
     

2. Hashes should be unique and not a set string such as 123abckkk.

   • If two passwords are the same, they will have the same hash. If one password is cracked, everyone else with the same password will also be cracked. This also prevents any rainbow tables from being generated. (See https://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tables)