[SOLVED] md5 or sha1

[Bendude14]

Could someone tell me which one of these is best used for storing passwords in a database?

 

which is most secure

 

Thanks

[gigas10]

I would guess sha1, since it was designed by the NSA. But who knows since it's easily crackable, however I do know that its impossible to figure out what the password was from a php made md5 hash.

[GingerRobot]

As long as you salt, either should be fine for your purposes.

 

Both are hashes, not an encryption method. Therefore, they cannot be decrypted. Rainbow tables can be used to do a reverse lookup, however. This is why you need your salt. Salting (the process of putting extra characters in a password before hashing) will make pre-computed rainbow tables useless.

 

To give an answer, SHA1 is probably more secure. It produces a longer hash and is also less likely to produce collisions.

[revraz]

Searching google for sha1 vs md5 will yeild you a ton of results as well.

[anon_login_001]

SHA1, by design, is "more secure" than MD5. However, as GingerRobot mentioned, both are vulnerable to certain attacks.

 

Do look up how to correctly 'salt' a saved/stored SHA1 hash.

 

If you're securing people's data, it's important to understand what and why you're using some solution over another... not simply 'which is better?'.  Take your time figuring this one out. It'll be worth it.

 

 

[discomatt]

MD5 - 128 bit

SHA1 - 160 bit, i believe.

 

Both are considered insecure... MD5 in 1994, SHA-1 in 2005. Appending a random salt to these algorithms ( and using the salt to compute the hash as well ) will result in a very, very secure method of storage though, regardless of the algorithm you choose.

 

Here's a great article

 

http://phpsec.org/articles/2005/password-hashing.html

[Bendude14]

Thanks for all the replies. I found that article with a bit of searching on google.

 

Ive decided to go for the sha1 and use a salt as well.

 

I will do some research on correctly implementing this even though i presumed it would be pretty straight forward

<?php

   $pwd = $_POST['pwd'];
   $pwd = sha1($pwd.$salt);
?>

 

I was thinking something like this would work fine

[bluejay002]

I used SHA1 before but now I use MD5... though they don't present any problems as long as they were salted, properly that is. Also, RT has some sort of limitations, I mean the limitation is caused by the very big space required to your HDD.

 

I selected MD5 for now since it eats up lesser space compared to SHA1. Just salt it properly.

[Bendude14]

Ok well i have gone for the sha1 with a salt as space is not an issue for me at this time

 

Thanks for all the replies.

 

Ben

[waynew]

sha1 it fifty times with a salt and then md5 it four hundred and ninety eight times.