[SOLVED] MD5 vs SHA1

[soycharliente]

I hear a lot of people talk about how MD5 is slowly becoming obsolete. They say that in a few years no one will use it because of the number of rainbow tables that are being created. Disk space is so cheap and easy that they could have thousands and thousands of hashes together. Also that MD5 could feasibly repeat if the sample size was large enough.

 

I don't really hear people talk about SHA1 at all.

 

I've read a few articles about both, but I just wanted to ask people what they think about each.

[Daniel0]

It doesn't necessarily have to be either of those two. The hash extension provides a multitude of other hashing algorithms which you can use. That extension is enabled by default in PHP5.

[Orio]

Go for something more complicated then. That's almost impossible to crack, even with huge rainbow tables.

 

<?php

$salt = "324@ 52#QMFe3E222%%";
$hash = sha1($salt.md5($pass));

?>

 

Orio.

[GingerRobot]

Any salting will prevent the use of rainbow tables. The idea behind a rainbow table is that the hashes have previously been computed. If you're using a salt, these pre-computed hashes will be meaningless. Of course, it would be theoretically possible to have a rainbow table containing values with different salts, but given that present rainbow tables tend to struggle with a straightforward MD5 hashing of a random letter-number combination of sufficient length, i wouldn't worry about that in a hurry.

 

Also that MD5 could feasibly repeat if the sample size was large enough.

 

Not just could - they will repeat. And this will happen with any of the hashing algorithms. As far as i'm aware there is no upper limit to the number of characters that can be turned into an MD5 (or SHA1) hash. Therefore, each hash does actually have an infinite number of corresponding unhashed strings. Of course, the odds of finding just two strings which produce the same hashed value are pretty low.