Jump to content

Yet Another Reason Not To Use Sha1 As A Password Hash


KevinM1
 Share

Recommended Posts

http://arstechnica.com/security/2012/12/oh-great-new-attack-makes-some-password-cracking-faster-easier-than-ever/

 

Like MD5, SHA1 was never really intended to be used as a hash for passwords. Use SHA512, bcrypt, or any of the slower hashes that take multiple passes over a string. Use salt. Use phpass rather than rolling your own: http://www.openwall.com/phpass/

Link to comment
Share on other sites

Well in my script I first use md5 on the raw password, then apply sha1 on the combined username and md5'd password. Finally the new string is concatenated with salt and pepper, a sha512 function is then acted on the combined string to give a final result. The difference between pepper and salt is that the former is hard coded for each site/application, while salt is user-specific and alterable. Heres the way I did it lol:

 

public function encrypt($username, $password, $salt){
$config = Registry::get("config");
$pepper = $config->peppercode;
$password = md5($password);
$newpassword = sha1($username.$password);
$finalpassword = hash('sha512', $pepper.$newpassword.$salt);
return $finalpassword;
}

 

Kinda weird isnt it?

Edited by Hall of Famer
Link to comment
Share on other sites

you could just use the native crypt function..

 

blowfish implementation

    private function encrypt($string, $salt) {
        if (strlen($salt) < 21)
            trigger_error('Member#encrypt: Failed due to salt length less then 21.', E_USER_ERROR);
        return crypt($string, '$2y$10$' . $salt . '$');
    }

Edited by RobertP
Link to comment
Share on other sites

  • 2 weeks later...
This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.