feyd wrote:Although hashing is technically a form of encryption because a compression algorithm is performed on the data...
Compression != encryption.
A cheap definition of encryption could be "The act of altering data to make it unreadable unless you know how to decrypt it".
Merely compressing something doesn't make it encrypted, and in fact, a hash isn't even truly compression (it looses the content, giving a unique representation of the data - NOT a smaller version of the same data).
Some other misconceptions.. MD5 is no longer considered secure - in crypto circles.
Cryptology is all relative. So, for example, previously, md5 had a brute-force time in the months-long range. Now, based on the latest findings, its been reduced to under 8 hours using a standard desktop. Thats a severe break!
Now factor in that some attackers have botnets in the 1,000 computer range, and suddenly, its a very serious issue for sites that require "trust".
SHA1 has also had some hits lately, although not nearly as dramatic, they also reduced the brute-force time a substantial amount.
What does this mean for a php developer? Well, lets take a forum, or an online game. The user's passwords are hashed, and the hash is stored.
If an attacker were able to get that list of hashes, previously, it would have been nearly useless - it would have taken months for EACH hash to be brute-forced. Now, however, with even a few computers, in a matter of 3-4 days, the attacker can have the vast majority of the passwords!
When you consider that most people re-use passwords, suddenly, even a simple online game or forum becomes a valuable target. What if the user reused that password on ebay? Or his bank?
The point is, if you are choosing to hash a password, you care about security. If you care about security, don't give people a false sense of security. Their online lives may be compromised by your shortcuts!!
Right now, SHA-256 is considered secure for the forseeable future. Several threads have posted a php version and a javascript version, which is all you need to implement both ends of a fairly secure login system.