Password hash

[radofeya]

Can anybody give me some comment about the hash function such as shah1(), md5(), etc

Thank you

 

[xeebfor]

Ok for normal website -
but if you want to use them for a gov website :

BEWARE, THEY HAVE BEEN CRACKED.

See: http://www.technewsworld.com/story/35926.html

 

[radofeya]

Ya, I also noticed this before, how about if we cascade the two hash function, shah1() and md5(); will this help to reduce the possibility of crack?

2nd, as what I know, the research team found the collision of this two hash function.
Anybody know how often will this collision occur?
Is this brings us trouble at the future when our website became famous?


Thank you!

 

[woiwky]

I prefer using sha256 myself, which you can use through the hash() function:

hash('sha256', $string);

Rehashing passwords does add some security, although salting is arguably better. Then again, there's nothing stopping you from combining the two.

 

[mattura]

A good security technique is to hash passwords with a salt (as mentioned above). That way, if somebody gets hold of your database, and runs dictionary attacks on the passwords, they won't be able to find even the simple passwords ('tree', 'hat' etc) becasue the hash of the password plus the salt would be different:

//login auth segment:
$salt="*^MY_SALT123^*"; //include various random characters etc
$password=$_REQUEST['password']; //from form
$pwhash=sha1($salt.$password);
//[read your database]
if ($pwhash==$row['password']) {
  //login
} else {
 //bad password
}

Hashes are not 'cracked'. Hashes are irreversible functions. But there are automated programs which can search huge databases of hashed 'passwords' until they find one which matches your hash. Thereby figuring out your password by what it hashes to. So now you will all choose 'safer' passwords, won't you?