Stooney Posted September 3, 2008 Share Posted September 3, 2008 With md5 compromised and sha1 following close behind, which hashing function(s) would you guys consider the most reliable (in terms of lasting as long as possible before it's not considered secure enough to use)? I'm considering either sha256 or sha512, any others that are worth considering? Edit: this is for storing user passwords in a mysql database. And come to think of it this has nothing to do with php. Quote Link to comment Share on other sites More sharing options...
corbin Posted September 3, 2008 Share Posted September 3, 2008 How is md5 compromised? Collisions can be created on purpose, even to make two things look the same... Could be malicious. Hash tables? That can be done with anything. Only takes time. Salting = ;p. Quote Link to comment Share on other sites More sharing options...
Stooney Posted September 3, 2008 Author Share Posted September 3, 2008 Collisions are easier to find with md5 hashes because the algorithm only makes one pass over the data. Also, there's a number of rainbow tables available for a reverse md5 hash lookup. I keep reading everywhere that it should be avoided. I've also read that sha-1 is close to sharing the same fate. Now that computers are getting faster it's getting easier to find collisions with sha1 hashes (right now it still take a $30m machine to do it a reasonable time frame, but just give it a few years). So that leaves me considering sha-2. I'm just curious if there's any others I haven't heard of that are as good as or better than sha-2. Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted September 3, 2008 Share Posted September 3, 2008 as he said, just salt md5... it's what most people do with a good enough salt, it won't be in any rainbow table. Quote Link to comment Share on other sites More sharing options...
corbin Posted September 3, 2008 Share Posted September 3, 2008 Collisions are [essentially] harmless with passwords. Hash tables.... Making hashes that are very unlikely to be in hash tables is easy. Quote Link to comment Share on other sites More sharing options...
Mchl Posted September 3, 2008 Share Posted September 3, 2008 See hash() function for some two dozens of hashing algorithms. I think that even if you're afraid of MD5, then well salted SHA1 should suffice for some time. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.