Password Encryption

[onlyican]

Hey guys

I am working on a script
and the old script uses sha1() when creating a user to encrypt the password for the database

I personally use md5()

Which one is best and why?

[Psycho]

sha1 uses more bits than MD5 so it would have less collisions. So, in a sense, it is more secure.

What does that mean? Well, both MD5 and sha1 are one-way encryptions - they cannot be truely decrypted. This is because both methods have a finite number of "results", yet you can encrypt an infinite number of values. So, for every string that can be encrypted with MD5 or sha1, there are other strings that will encrypt to the same thing - that is a collision. But, it's not like someone will have the password "doghouse" and another match for that encryption will be a recognizable word. It would be something more like "Fhfejfh78fy9*FE7&efB CFFHRCU*WRrcY&Wc7Hyr447%^(#4". And, I doubt any one is going to be trying hack someone's password with that.

EDIT: In any case (IMHO), as long as you are using one of those methods correctly, you are more likely to have unauthorized intrusions through the back end or secuirty holes, weak passwords by users, or through phishing. There are many things to be done to ensure that the backend is secure (which is beyond my expertise) as well as ensuring there are no security holes, and you can also implement functionality to require strong passwords (if that is an option with your user base), but there is nothing you can do about the last.

[onlyican]

I have also read today that MD5 uses RSA Data Security, Inc. MD5 Message-Digest Algorithm,