I have a question in security programming. As all of us know, when we have a database with passwords or anything sensitive, we would like to encrypt it so it is not readable by other. Now I want to know, which of the method is secured or less secured. Is it Iterative Salting (1000x iterative) or Encryption method such as SHA 256, MD5, and all others. Kindly give me your opinion on this please.
At password creation (registration or change)
- create a random salt (for example f4i, or whatever, it doesn't have to be long)
- insert into the database $salt . sha1($salt . $password) or $salt . sha1($salt . md5($salt . $password)) , whatever you like. It's best to create or use some function that uses as many md5 and sha1's as possible, perhaps 1000 or 5000 (something that takes a second or 2).
At login, retrieve the password from the database, get the first 3 (salt length) characters, calculate the same (above) and check if it matches.
Again, there are scripts available that do this for you and perhaps even more smart thing I can't think of.