"Best" hash to use?

[The14thGOD]

I've come back to start digging into security for PHP and I was reading up on salt methods etc when I noticed there were lots of mixed thoughts on which hash to use.

 

I eventually came to: http://www.php.net/manual/en/function.hash.php#89574

 

I know it kind of depends on the site but which is generally the most secure?

 

Is/are md5/sha1 basically outdated?

 

Thanks for any and all help clearing this up!

 

Justin

[steveangelis]

Most people like myself use md5 but I personally use md5 twice like this:

 

md5(md5())

[Mchl]

Most people like myself use md5 but I personally use md5 twice like this:

 

md5(md5())

 

Thus increasing chances for collision.

 

The14thGOD: It really depends on what you're using these hashes for. Well salted md5 will still require a lot of resources to find a collision. On the other hand md5 should not be used any longer for 'signing' the contents of the file. It has been demonstrated that you can falsify such signatures in relatively short time.

[The14thGOD]

I'm going to show my real newbness here to PHP Security, what do you mean by 'signing" the contents of the file?

[Mchl]

Here: http://www.win.tue.nl/hashclash/Nostradamus/

[cringe]

Define the hash algorithm as a DEFINE in an include file and then use http://us2.php.net/manual/en/function.hash.php . This way, you can change it in one place. I'd go with at least sha256 to future proof your apps.

 

define('YOURHASHALG', 'sha256') ;

hash(YOURHASHALG, $string);