Suraj
Suraj

Reputation: 930

PHP different one way hashes for password security

I was wondering to hash the password in PHP using different methods available and the combination of them for more and more security. I was wondering if this would work..?

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);

Upvotes: 2

Views: 978

Answers (5)

ircmaxell
ircmaxell

Reputation: 165271

IF you are going to do this, don't just MD5 the result:

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);

Instead, run md5 on the result and the inputs...

$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$tmp = sha1($pass.$salt);
$pass = md5($tmp . $pass . $salt);

The reason is that if you do md5(sha1()), you're basically increasing the chances of collision. The reason is that all sha1 collisions would automatically be collisions in the md5 call (hence it's a superset of the collisions). By re-entering the password and salt, you're preventing that from happening, and hence creating a "stronger" hash rather than a weaker one...

Upvotes: 0

shamittomar
shamittomar

Reputation: 46702

Rather than that, you can use a stronger hashing algorithm like sha512 with combination of a strong salt and UserID: Do it like this:

 echo hash('sha512', 'MyPassword' . $StrongSalt . $UserID);

SHA512 is actually SHA-2 for which there are no collisions found. See at wikipedia.

Upvotes: 5

Your Common Sense
Your Common Sense

Reputation: 157979

Nope. Combinations do not add any security.
Actually you made it less secure. Theoretically, but anyway.

I have a feeling that hashing issues are way overestimated.
Nobody concerns in any other security issue but everyone anxious to make a hash unbreakable in a billion years. Relax, buddy. There are thousands other ways to break your app.

Upvotes: 5

Russell Dias
Russell Dias

Reputation: 73382

Your passwords will most likely, never be 100% secure.

Try looking at a nonce. Which should be generated for each individual user.

Upvotes: 0

aularon
aularon

Reputation: 11110

I guess adding a salt is enough, but if you want more maybe do:

sha1($salt. sha1($salt. $pass));

and let $salt contain some non-printed chars, arbitrary binary data or anything like that.

Again, I guess this won't add much since implementation I saw only add $salt, but why not more security for the coming ages : )

Upvotes: 0

Related Questions