sha1 is a hash algorithm much like md5, sha256, sha512, and many others.
The book you pulled that piece of code from is a very poor example. A salt is supposed to be random but a timestamp is not random. Kai has been working on a random generator, I believe there was a link in his signature, to his project. His implementation would be much more suited for a salt.
Yes, I would skip the sha1 algorithm. MD5 has been compromised and there is reasonable belief that sha1 will soon suffer the same. I would use sha256 at the minimum, preferrably sha512.
A salt is designed to complicate the process of brute forcing a compromised hash.
Example, if you md5("password") and the hash is "5f4dcc3b5aa765d61d8327deb882cf99", it wont take an attacked long to run through a dictionary of common passwords to find a match.
md5("love"); //b5c0b187fe309af0f4d35982fd961d7e
md5("sex"); //3c3662bcb661d6de679c636744c66b62
md5("secret"); //5ebe2294ecd0e0f08eab7690d2a6ee69
md5("god"); //a4757d7419ff3b48e92e90596f0e7548
md5("password"); //5f4dcc3b5aa765d61d8327deb882cf99
We got a match! This user's password must be "password".
Now imagine how hard it would be to guess something like:
Code: Select all
<?php
# Randomly Generated Salt and Pepper.
# Salt is stored in the database, Pepper is stored on the filesystem. Should 1 system be compromised, the other might not.
# It is one more step towards security in depth.
$salt="3d4d588c4a33d9f40b6eff11411d6a67472e75d4c5bb714e01022abbbcb99854111252cf63bab2bb4b817dd9dbf18ea6b978bd2e464a9078149f054ef9fed826";
$pepper="OTEyNjY1MDg0NzY3Y2E2M2ZmMzA0ZDE4NzQ0NGFjNjY3NDlkOGFkYThkZWE0ZDQ4YzAyNGE1ZjYzNDcxMmI4YjRjM2UxMmVjYmNjNDcxNDA1OGVlODlmZTExOGE5YmNkOGZjZGI2NWMxOTg5MjM1OGIwNDE1MzY4OTI4ZWQ4OTY=";
$password = "password";
hash('sha512', $password . $salt . $pepper); //14ac5aa847a22a6f7587d60c735b5039ae80293e0a7f6cdc1409b6b8d3fac7b019a01afb9290fae13ed959e88e27703c05ef86401339a468d149ea9b28d3b30c
?>