Want to know sha512 is safe if i mix it with md5

Question

I need a little check on my code if it is safe or not

$pass = "jitubond";
$hashed_password =  md5($pass);
echo $hashed_password; // this is unsafe 100%
echo "<br>";
$hashed = hash("sha512", $pass); // style 1 
echo $hashed;
echo "<br>";
$hashed = hash("sha512", $hashed_password); // style 2 
echo $hashed;

Can you guide its is ok to use as password or not?

Thanks everyone =)

You do not need to use MD5 if you use SHA512. There are good answers related to your problem here: http://stackoverflow.com/questions/2117732/reasons-why-sha512-is-superior-to-md5 — ragklaat, May 29 '13 at 09:04
This might also interest you: http://stackoverflow.com/a/1530977/927626 — Niko, May 29 '13 at 09:05
Don't mix and match your hashes.... it reduces the level of security rather than improves it — Mark Baker, May 29 '13 at 09:12

score 1 · Accepted Answer · edited May 23 '17 at 11:46

It is also much safer to use crypt()where you can also define the number of rounds and the salt (you should really use salts) which is also part of the PHP core

http://php.net/manual/en/function.crypt.php

https://stackoverflow.com/a/10281510/753676

you can also not rely on hash() as it is not part of the PHP core http://php.net/manual/en/faq.passwords.php

Also PHPass is a very good option: https://security.stackexchange.com/questions/17111/php-crypt-or-phpass-for-storing-passwords

Some examples: http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

http://www.openwall.com/phpass/

Blowfish/bcrypt is also mentioned as the most secure algorithm (but may be too cpu-expensive) and you can set some parameters like the cost factor ...

Some servers have also php installed with the mcrypt library, which supports also more like TwoFish, TreeFish and so on http://www.php.net/manual/en/intro.mcrypt.php but this may be too much

score -1 · Answer 2 · answered May 29 '13 at 09:05

-1

sha512 is a very good algorithm to use, it is overkill to first use an md5, just use sha512.

answered May 29 '13 at 09:05

randomizer

1,619
3
15
31

so the **style 1** is safe ? – Jitu Bond-Boy May 29 '13 at 09:09
It's one of the more safe ways yes :), but it can always be safer offcourse. – randomizer May 29 '13 at 09:11
not as safe as `crypt` with more rounds, encrypting the password multiple times (like in style2) makes more sense but use the same algorithm (just sha2) – May 29 '13 at 09:11
1

Yes, style one by it's self is fine. However you should use something like [password_compat](https://github.com/ircmaxell/password_compat) as it's going to be in PHP 5.5 anyway, and you can make your current password scheme safe with that. – Mark Tomlin May 29 '13 at 09:12
I'd recommend watching Anthony Ferrara's [brilliant presentation on password storage](http://www.youtube.com/watch?v=T4NTdRvIrdk). sha512 is not really safe on its own. – Jamie Schembri May 29 '13 at 09:55
offcouse, it can always be safer, my advice is purely based on the topic starter question. – randomizer May 29 '13 at 10:37

Want to know sha512 is safe if i mix it with md5

2 Answers2