I'm currently setting up a table in my database to handle users and their passwords.
I'm stuck on which form of encryption to use, and which would be the best choice.
I know that MD5 and SHA1 are not worth going with, but I'm unsure what would be the right choice.
I was thinking about using Feyd's SHA256 algorithm but I read this on a Slashdot comment:
I'm thinking about looking into those hashing algorithm's he links to, but I would like your opinions first, and maybe you can let me/us know what form of encryption you use/would recommend?MD5 is dead. SHA-1 is currently dying. They're both based on the same fundamental math, and the attacks on SHA1 are getting stronger and stronger. Now would be a really good time to get off of that entire family of hashes if you can (MD4, MD5, RIPEMD-* SHA-*, etc).
The crypto world is in a little bit of a bind when it comes to strong hashes now. We simply don't have any left that both have a long proven track record of analysis and haven't been seriously compromised. Best bet, IMHO, is to go with a new-blood hash algorithm. They seem to be the answer we're looking for - but of course what they lack is more years of intensive study by the experts for flaws they themselves might harbor.
So if you want to give them a whirl, I'd recommend looking at Tiger and Whirlpool:
http://en.wikipedia.org/wiki/Tiger_(hash) [wikipedia.org]
http://en.wikipedia.org/wiki/Whirlpool_(algorithm) [wikipedia.org]
This may be straying slightly OT, but what's wrong with MySQL's PASSWORD() function? Has that been flawed?
Thanks for any input