Bendude14 Posted July 7, 2008 Share Posted July 7, 2008 Could someone tell me which one of these is best used for storing passwords in a database? which is most secure Thanks Quote Link to comment Share on other sites More sharing options...
gigas10 Posted July 7, 2008 Share Posted July 7, 2008 I would guess sha1, since it was designed by the NSA. But who knows since it's easily crackable, however I do know that its impossible to figure out what the password was from a php made md5 hash. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 7, 2008 Share Posted July 7, 2008 As long as you salt, either should be fine for your purposes. Both are hashes, not an encryption method. Therefore, they cannot be decrypted. Rainbow tables can be used to do a reverse lookup, however. This is why you need your salt. Salting (the process of putting extra characters in a password before hashing) will make pre-computed rainbow tables useless. To give an answer, SHA1 is probably more secure. It produces a longer hash and is also less likely to produce collisions. Quote Link to comment Share on other sites More sharing options...
revraz Posted July 7, 2008 Share Posted July 7, 2008 Searching google for sha1 vs md5 will yeild you a ton of results as well. Quote Link to comment Share on other sites More sharing options...
anon_login_001 Posted July 7, 2008 Share Posted July 7, 2008 SHA1, by design, is "more secure" than MD5. However, as GingerRobot mentioned, both are vulnerable to certain attacks. Do look up how to correctly 'salt' a saved/stored SHA1 hash. If you're securing people's data, it's important to understand what and why you're using some solution over another... not simply 'which is better?'. Take your time figuring this one out. It'll be worth it. Quote Link to comment Share on other sites More sharing options...
discomatt Posted July 7, 2008 Share Posted July 7, 2008 MD5 - 128 bit SHA1 - 160 bit, i believe. Both are considered insecure... MD5 in 1994, SHA-1 in 2005. Appending a random salt to these algorithms ( and using the salt to compute the hash as well ) will result in a very, very secure method of storage though, regardless of the algorithm you choose. Here's a great article http://phpsec.org/articles/2005/password-hashing.html Quote Link to comment Share on other sites More sharing options...
Bendude14 Posted July 8, 2008 Author Share Posted July 8, 2008 Thanks for all the replies. I found that article with a bit of searching on google. Ive decided to go for the sha1 and use a salt as well. I will do some research on correctly implementing this even though i presumed it would be pretty straight forward <?php $pwd = $_POST['pwd']; $pwd = sha1($pwd.$salt); ?> I was thinking something like this would work fine Quote Link to comment Share on other sites More sharing options...
bluejay002 Posted July 8, 2008 Share Posted July 8, 2008 I used SHA1 before but now I use MD5... though they don't present any problems as long as they were salted, properly that is. Also, RT has some sort of limitations, I mean the limitation is caused by the very big space required to your HDD. I selected MD5 for now since it eats up lesser space compared to SHA1. Just salt it properly. Quote Link to comment Share on other sites More sharing options...
Bendude14 Posted July 8, 2008 Author Share Posted July 8, 2008 Ok well i have gone for the sha1 with a salt as space is not an issue for me at this time Thanks for all the replies. Ben Quote Link to comment Share on other sites More sharing options...
waynew Posted July 8, 2008 Share Posted July 8, 2008 sha1 it fifty times with a salt and then md5 it four hundred and ninety eight times. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.