KevinM1 Posted December 5, 2012 Share Posted December 5, 2012 http://arstechnica.com/security/2012/12/oh-great-new-attack-makes-some-password-cracking-faster-easier-than-ever/ Like MD5, SHA1 was never really intended to be used as a hash for passwords. Use SHA512, bcrypt, or any of the slower hashes that take multiple passes over a string. Use salt. Use phpass rather than rolling your own: http://www.openwall.com/phpass/ Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/ Share on other sites More sharing options...
Beeeeney Posted December 5, 2012 Share Posted December 5, 2012 I know some of those words. Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1397712 Share on other sites More sharing options...
Hall of Famer Posted December 5, 2012 Share Posted December 5, 2012 Well in my script I first use md5 on the raw password, then apply sha1 on the combined username and md5'd password. Finally the new string is concatenated with salt and pepper, a sha512 function is then acted on the combined string to give a final result. The difference between pepper and salt is that the former is hard coded for each site/application, while salt is user-specific and alterable. Heres the way I did it lol: public function encrypt($username, $password, $salt){ $config = Registry::get("config"); $pepper = $config->peppercode; $password = md5($password); $newpassword = sha1($username.$password); $finalpassword = hash('sha512', $pepper.$newpassword.$salt); return $finalpassword; } Kinda weird isnt it? Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1397713 Share on other sites More sharing options...
RobertP Posted December 6, 2012 Share Posted December 6, 2012 you could just use the native crypt function.. blowfish implementation private function encrypt($string, $salt) { if (strlen($salt) < 21) trigger_error('Member#encrypt: Failed due to salt length less then 21.', E_USER_ERROR); return crypt($string, '$2y$10$' . $salt . '$'); } Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1397773 Share on other sites More sharing options...
Amplivyn Posted December 14, 2012 Share Posted December 14, 2012 I was using sha1... must change... Just wondering though, are there any specific PHP security books you guys recommend? Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1399468 Share on other sites More sharing options...
Christian F. Posted December 15, 2012 Share Posted December 15, 2012 Not PHP specific, but Innocent Code is highly recommended for all web developers. Though, we're moving a bit off-topic here, so I suggest starting a new thread for this, if there isn't one already, in the right section. Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1399505 Share on other sites More sharing options...
Stefany93 Posted December 15, 2012 Share Posted December 15, 2012 Opencart uses SHA1 for storing passwords. I was a bit shocked when I saw that since that hashing algorithm is now obsolete. Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1399514 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.