KevinM1 Posted December 5, 2012 Share Posted December 5, 2012 http://arstechnica.com/security/2012/12/oh-great-new-attack-makes-some-password-cracking-faster-easier-than-ever/ Like MD5, SHA1 was never really intended to be used as a hash for passwords. Use SHA512, bcrypt, or any of the slower hashes that take multiple passes over a string. Use salt. Use phpass rather than rolling your own: http://www.openwall.com/phpass/ Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/ Share on other sites More sharing options...
Beeeeney Posted December 5, 2012 Share Posted December 5, 2012 I know some of those words. Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1397712 Share on other sites More sharing options...
Hall of Famer Posted December 5, 2012 Share Posted December 5, 2012 (edited) Well in my script I first use md5 on the raw password, then apply sha1 on the combined username and md5'd password. Finally the new string is concatenated with salt and pepper, a sha512 function is then acted on the combined string to give a final result. The difference between pepper and salt is that the former is hard coded for each site/application, while salt is user-specific and alterable. Heres the way I did it lol: public function encrypt($username, $password, $salt){ $config = Registry::get("config"); $pepper = $config->peppercode; $password = md5($password); $newpassword = sha1($username.$password); $finalpassword = hash('sha512', $pepper.$newpassword.$salt); return $finalpassword; } Kinda weird isnt it? Edited December 5, 2012 by Hall of Famer Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1397713 Share on other sites More sharing options...
RobertP Posted December 6, 2012 Share Posted December 6, 2012 (edited) you could just use the native crypt function.. blowfish implementation private function encrypt($string, $salt) { if (strlen($salt) < 21) trigger_error('Member#encrypt: Failed due to salt length less then 21.', E_USER_ERROR); return crypt($string, '$2y$10$' . $salt . '$'); } Edited December 6, 2012 by RobertP Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1397773 Share on other sites More sharing options...
Amplivyn Posted December 14, 2012 Share Posted December 14, 2012 I was using sha1... must change... Just wondering though, are there any specific PHP security books you guys recommend? Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1399468 Share on other sites More sharing options...
Christian F. Posted December 15, 2012 Share Posted December 15, 2012 Not PHP specific, but Innocent Code is highly recommended for all web developers. Though, we're moving a bit off-topic here, so I suggest starting a new thread for this, if there isn't one already, in the right section. Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1399505 Share on other sites More sharing options...
Stefany93 Posted December 15, 2012 Share Posted December 15, 2012 (edited) Opencart uses SHA1 for storing passwords. I was a bit shocked when I saw that since that hashing algorithm is now obsolete. Edited December 15, 2012 by Stefany93 Quote Link to comment https://forums.phpfreaks.com/topic/271641-yet-another-reason-not-to-use-sha1-as-a-password-hash/#findComment-1399514 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.