0

I am currently building a basic auth syste, and i have an user activation feature what generates a 20 character long string and encodes it to sha1 , but i saw a few other systems use base64_encode could please someone explain what is better and why?

Thank you

Side
  • 1,753
  • 9
  • 35
  • 64
  • what data is in the "20 character long string"? If it is just a random string of characters, there would be no difference other than length and no real difference/security in just using the 20 character string. – Jonathan Kuhn Mar 12 '13 at 17:05
  • 1
    Please see also http://stackoverflow.com/q/549/1741542 – Olaf Dietsche Mar 12 '13 at 17:08

3 Answers3

2

they are quite different -- SHA1 is a one way hash function, which means that you cannot go back from the encoded string to the original string. However, base64_encode is a two way encoding function, meaning you can get the original value back using base64_decode.

Security wise, it means that anyone who gets his hands on a base64_encoded value can easily decode it, whereas a SHA1 value required brute force, and a lot of time.

Nick Andriopoulos
  • 10,313
  • 6
  • 32
  • 56
2

You could scrap the idea of even encoding/hashing the string and use openssl_random_pseudo_bytes to generate a string and then use that.

echo bin2hex(openssl_random_pseudo_bytes(10));

Example output:

root@upstairslinux:/var/www# php openssl.php
67b206be9ceef1c4974f

root@upstairslinux:/var/www#
Jordan Doyle
  • 2,976
  • 4
  • 22
  • 38
  • you just gave me a good idea with this and confirmed something what i was not sure about, thanks – Side Mar 12 '13 at 17:12
1

You are generating a string of random characters. No kind of encoding or hashing is likely to bring you any benefits.

sha1 will make the string shorter and make it (very very slightly) easier to guess the required string.

base64 will make the string longer and make it more likely that wordwrapping will break any URL you inject it into.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335