Jump to content


Yet Another Reason Not To Use Sha1 As A Password Hash

  • Please log in to reply
6 replies to this topic

#1 KevinM1

  • Moderators
  • Snarkimus Prime
  • 5,248 posts
  • LocationNew Hampshire, USA

Posted 05 December 2012 - 03:31 PM


Like MD5, SHA1 was never really intended to be used as a hash for passwords. Use SHA512, bcrypt, or any of the slower hashes that take multiple passes over a string. Use salt. Use phpass rather than rolling your own: http://www.openwall.com/phpass/
Using 'global' is a sign of doing it wrong

#2 Beeeeney

  • Members
  • PipPipPip
  • Advanced Member
  • 194 posts
  • LocationEngland!
  • Age:20

Posted 05 December 2012 - 03:37 PM

I know some of those words.

#3 Hall of Famer

Hall of Famer
  • Members
  • PipPipPip
  • OOP Fanboi
  • 315 posts
  • LocationIthaca

Posted 05 December 2012 - 03:37 PM

Well in my script I first use md5 on the raw password, then apply sha1 on the combined username and md5'd password. Finally the new string is concatenated with salt and pepper, a sha512 function is then acted on the combined string to give a final result. The difference between pepper and salt is that the former is hard coded for each site/application, while salt is user-specific and alterable. Heres the way I did it lol:

public function encrypt($username, $password, $salt){
$config = Registry::get("config");
$pepper = $config->peppercode;
$password = md5($password);
$newpassword = sha1($username.$password);
$finalpassword = hash('sha512', $pepper.$newpassword.$salt);
return $finalpassword;

Kinda weird isnt it?

Edited by Hall of Famer, 05 December 2012 - 03:39 PM.

Welcome to the world of OOPHP! In a perfect script, everything is an object. You cannot be perfect, but you can approach as close as can.


#4 RobertP

  • Members
  • PipPipPip
  • Advanced Member
  • 288 posts

Posted 06 December 2012 - 01:31 AM

you could just use the native crypt function..

blowfish implementation
    private function encrypt($string, $salt) {
        if (strlen($salt) < 21)
            trigger_error('Member#encrypt: Failed due to salt length less then 21.', E_USER_ERROR);
        return crypt($string, '$2y$10$' . $salt . '$');

Edited by RobertP, 06 December 2012 - 01:31 AM.

u tha king Pikachu2000!!

#5 Amplivyn

  • Members
  • PipPip
  • Member
  • 26 posts

Posted 14 December 2012 - 11:14 PM

I was using sha1... must change...

Just wondering though, are there any specific PHP security books you guys recommend?

#6 Christian F.

Christian F.
  • Staff Alumni
  • Advanced Member
  • 3,106 posts
  • LocationNorway

Posted 15 December 2012 - 08:00 AM

Not PHP specific, but Innocent Code is highly recommended for all web developers. Though, we're moving a bit off-topic here, so I suggest starting a new thread for this, if there isn't one already, in the right section. ;)
Keeping it simple.

#7 Stefany93

  • Members
  • PipPipPip
  • Advanced Member
  • 263 posts
  • LocationThe motherland of Perl
  • Age:23

Posted 15 December 2012 - 09:11 AM

Opencart uses SHA1 for storing passwords. I was a bit shocked when I saw that since that hashing algorithm is now obsolete.

Edited by Stefany93, 15 December 2012 - 09:12 AM.

"Put your faith in God and keep your powder dry" - Oliver Cromwell
My site - http://stefanynewman.info

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users