0

Hi,
I need to secure my password and here are my questions.
1. What is the best method of making a salt? I have seen enough arguments for not using user info but rather random values.

2. How do I know user salt if I used random one? Should I store on password database? If yes isn't it added advantage to a hacker.

3. Which hashing algorith is better? MD5 hash? SHA1 or what??
Thanks.

3
Contributors
6
Replies
7
Views
7 Years
Discussion Span
Last Post by Stefano Mtangoo
0

Personally, I use something along the lines of the following:

$salt = sha1(md5($_POST['password']));
$password = md5($_POST['password'].$salt);

Using strings such as username or user id is not a good idea as these will be known by anyone using the site, but using the password means that it is unique for each user without having to save the sale string anywhere.

Also, providing you salt the password, then MD5 should be fine :)

0

Personally, I use something along the lines of the following:

$salt = sha1(md5($_POST['password']));
$password = md5($_POST['password'].$salt);

Using strings such as username or user id is not a good idea as these will be known by anyone using the site, but using the password means that it is unique for each user without having to save the sale string anywhere.

Also, providing you salt the password, then MD5 should be fine :)

If password is the same then hash will be the same isn't it? What is your opinion on random salt?

0

I agree with Gresham but beg to defer on the code an not concept.
Example:

function truehash($input) {
return hash('sha1',substr(hash('sha1',$input),4,-4).hash('crc32',$input));
}
0

I agree with Gresham but beg to defer on the code an not concept.
Example:

function truehash($input) {
return hash('sha1',substr(hash('sha1',$input),4,-4).hash('crc32',$input));
}

Why you don't agree with Will?

0

Why you don't agree with Will?

Because if the sha1 and md5 algorithms are cracked then the entire salt and encryption Will suggested can be cracked. However with my method part of the original hash has been destroyed with substr and you would need a lot of guess work before getting the decoded result. So therefore mine is more secure.

0

Cool I understand now.
I need to hear also your comments on pros and cons of random one and how to achieve it. Just idea

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.