Secure Login Script (md5 & sha1)
Moderator: General Moderators
Secure Login Script (md5 & sha1)
I'm looking to create a secure login script that will use hashing to store/verify the user's password. Based on what I've read, I have a few questions that I'd like verified:
1.) sha256 > sha1 > md5. Correct?
2.) The sha1 algorhythm has been compromised. True?
3.) Let's assume that I use sha1 to hash all my passwords. If, down the road, I wish to change what I use to hash the passwords, is this possible if I can't rehash the original password?
I'm relatively new to implementing security features such as these, so any help on the above quesitons or anything related to secure logon scripts would be greatly appreciated.
Thank you!
Brian
1.) sha256 > sha1 > md5. Correct?
2.) The sha1 algorhythm has been compromised. True?
3.) Let's assume that I use sha1 to hash all my passwords. If, down the road, I wish to change what I use to hash the passwords, is this possible if I can't rehash the original password?
I'm relatively new to implementing security features such as these, so any help on the above quesitons or anything related to secure logon scripts would be greatly appreciated.
Thank you!
Brian
- DaveTheAve
- Forum Contributor
- Posts: 385
- Joined: Tue Oct 03, 2006 2:25 pm
- Location: 127.0.0.1
- Contact:
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
PHP 51.2 has built in hashing. I use the hash() function in many situations.
This is more of an FYI for other readers as I know your version is lower than 5.1.2.
This is more of an FYI for other readers as I know your version is lower than 5.1.2.
I've just found the hash_algos() function, so I checked it out and was happy to find sha256() on the list, but when I tried to call sha256() I got the undefined function error message. What the hell?
hash_algos() doesn't list functions, but rather algorhythms that are supported by your PHP installation. If it's listed in hash_algos(), then you can pass it as an argument to hash(). I'm doing the same thing here, so if (like me) you want to use sha256, you would call hash('sha256' 'string to hash goes here')