0

Possible Duplicate:
Can I md5(sha1(password))? 

$pass = md5($_POST["pass"].sha1($_POST["pass"]))

I saw this somewhere and was confused. Does this read a password and decrypt it using sha1 then md5 or reverse? Or is there some other things that I'm missing?

Community
  • 1
  • 1
gbachik
  • 1,637
  • 3
  • 17
  • 29
  • 2
    `.` concatenates strings in PHP. – irrelephant Sep 06 '12 at 23:30
  • 1
    It offers the illusion of securely hashing a password, while failing to securely hash the password. – leemeichin Sep 06 '12 at 23:33
  • possible duplicate of [Can I md5(sha1(password))?](http://stackoverflow.com/questions/9143101/can-i-md5sha1password) and http://stackoverflow.com/questions/8110196/php-net-says-that-md5-and-sha1-unsuitable-for-password – mario Sep 06 '12 at 23:41
  • 1
    @user1115155 - Please don't do that... The post will be closed by the community. There is no need to "vandalize" your posts. Trust the site :) – Lix Sep 07 '12 at 00:06
  • 1
    I rolled back your edit, since you practically deleted your post. – uınbɐɥs Sep 07 '12 at 00:10
  • @sha - for the [second time](http://stackoverflow.com/revisions/12309836/2) :P – Lix Sep 07 '12 at 00:11
  • Please don't vandalize/remove posts. People may have the same question someday. Also, don't re-post it. – uınbɐɥs Sep 07 '12 at 00:15

4 Answers4

11

It is hashing $_POST['pass'] with the sha1 algorithm, then combining that hash with $_POST['pass'], then hashing the resulting combined string with the md5 algorithm.

Why, I have no idea.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
5

What it is doing is that it is concatenating the password with the sha1 hashed version of it (one of these is the salt) then hashing it into an MD5 value.

urbanspr1nter
  • 1,347
  • 2
  • 16
  • 25
3

Actually it hashes the password.

It concatenates the clear password with the sha1'd password. Then it Md5 the whole thing

Hugo Dozois
  • 8,147
  • 12
  • 54
  • 58
0

It hashes it with MD5.

Takes your password from the form, adds a salt and hashes the whole thing.

Note:

The 'salt' is a another hash. It is not a good idea to do it this way, a salt should be a random value that you have made that keeps the password secure.

uınbɐɥs
  • 7,236
  • 5
  • 26
  • 42
Alex Reynolds
  • 6,264
  • 4
  • 26
  • 42
  • Not sure why someone would vote down a correct answer? Hmm – Alex Reynolds Sep 06 '12 at 23:33
  • I did not, but now I do. You have mistaken a salt with a custom hashing function. As I said, -1 now. – Tadeck Sep 06 '12 at 23:40
  • No they are hashing the password and using that as a salt. They are salting the raw password with a hashed version of the raw password then hashing the whole thing with MD5. So not incorrect. You say tomato I say Tomahto... Still all the same thing – Alex Reynolds Sep 06 '12 at 23:41
  • If you interpret it that way, it makes more sense. But still, if you consider whole md5($x.sha1($x)) thing as my_hash($x), there is no salt, just a custom hashing function. What I would call a salt is something external, not replicable on the basis of the value we are hashing. See the explanation eg. here: http://en.wikipedia.org/wiki/Salt_(cryptography) – Tadeck Sep 06 '12 at 23:47
  • 1
    I didn't say it was a good salt lol. – Alex Reynolds Sep 06 '12 at 23:59
  • 1
    From [Wikipedia](http://en.wikipedia.org/wiki/Salt_(cryptography)): '... a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase.' A hashed password is **not** a salt. – uınbɐɥs Sep 07 '12 at 00:17
  • Sticking to my guns. I think the dev who wrote that line of code was using it as a salt. Not saying it's right just saying that's what the dev was probably doing. Hate me if you will. – Alex Reynolds Sep 07 '12 at 00:21
  • @AlexReynolds Okay, I get your point. – uınbɐɥs Sep 07 '12 at 00:24
  • Thanks. And actualy a good salt would be random bits but sadly a lot of devs use the same salt that is hardcoded or so on thinking just cuz they added it, the password is more secure. Anywho peace love world peace whatever I'm out. :) – Alex Reynolds Sep 07 '12 at 00:27
  • 1
    @AlexReynolds You have to use a hard-coded salt, but ideally it would be different for each installation of the application (e.g. phpMyAdmin). – uınbɐɥs Sep 07 '12 at 00:28
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/16396/discussion-between-alex-reynolds-and-shaquin-trifonoff) – Alex Reynolds Sep 07 '12 at 00:29