Re: how to descript the password
Posted: Tue Feb 03, 2009 2:20 am
Or use their unique ID (the auto incremented one)
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Is this considered more unsecure than a simple hash?public function sethash($v){
return md5(crc32(sha1(md5(strrev($v)))));
}
Yes, every hash introduces possible collisions. So even if $a and $b are different, $c = md5($a) and $d = md5($b) could be the same (although it's unlikely). And if they are different, crc32(sha1($c)) and crc32(sha1($d)) could be the same, and so could md5($c) and md5($d).mikelbring wrote:Is this considered more unsecure than a simple hash?
Are sha1, 256 and 512 already in php? I use md5 like no tomorrow because it's already there for you.Apollo wrote:Yes, every hash introduces possible collisions. So even if $a and $b are different, $c = md5($a) and $d = md5($b) could be the same (although it's unlikely). And if they are different, crc32(sha1($c)) and crc32(sha1($d)) could be the same, and so could md5($c) and md5($d).mikelbring wrote:Is this considered more unsecure than a simple hash?
Especially crc32 which is only 32 bits will drastically reduce the number of different possible results.
THe only situation where nested hashes could improve security somewhat, is if you only use direct md5 hashes of the password or whatever you are hashing. This way people can use quick dictionary attacks and rainbow table lookups. But in that case salt'ing the string before hashing it is much better than hashing multiple times.
To sum it up, if $a is the string (e.g. password) you want to hash:Obviously the 3rd approach is best, with the notion that $randomSalt is actually salt + pepper (i.e. $constantGlobalSalt.$userSpecificSalt).
- md5( $a ) has low chance of collision, but is easy to attack with dictionaries/rainbow tables
- md5( md5( $a ) ) has higher chance of collision, and is somewhat less easy to attack with dictionaries/rainbow tables
- md5( $a . $randomSalt ) has low chance of collision, and is impossible to attack with dictionaries/rainbow tables
- md5( md5( $a ) . $randomSalt ) has higher chance of collision, and is impossible to attack with dictionaries/rainbow tables
Using other hasing algorithms (e.g. sha1 instead of md5) does not make an essential difference for the above.
Nonetheless I would recommend using sha1 (or preferably even sha256 or sha512) instead of md5 at all times, as md5 seems to become more and more vulnerable these days. Nothing really serious (yet), but sha1 can currently be considered less risky.
sha1 is there by default (php.net reference), sha256 and sha512 are probably accessible through the hash function:Skoalbasher wrote:Are sha1, 256 and 512 already in php? I use md5 like no tomorrow because it's already there for you.
Code: Select all
$a = hash('sha256',$password);
$b = hash('sha512',$password);Cool, yeah I went and looked it up. Thanks!Apollo wrote:sha1 is there by default (php.net reference), sha256 and sha512 are probably accessible through the hash function:Skoalbasher wrote:Are sha1, 256 and 512 already in php? I use md5 like no tomorrow because it's already there for you.
Code: Select all
$a = hash('sha256',$password); $b = hash('sha512',$password);