1

The following code creates an MD5 hash and then hashes it again with SHA-1 – is this secure?

$user = $_POST['username'];
$username = mysqli_real_escape_string($mysqli, $user);
$pass = md5($_POST['password']);
$password = sha1($pass);

Does this increase collision possibilities?
Are there any other ways in order to hash and be very fast in processing the password?

Sharanya Dutta
  • 3,981
  • 2
  • 17
  • 27
user3221613
  • 15
  • 3
  • 2
    No, that is not secure. read this: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1 – John Conde Feb 26 '14 at 02:08
  • 1
    "Very fast" is very undesirable. You want slow. "Very fast" only helps people attempting to crack a hashed password via brute-force. – user229044 Feb 26 '14 at 02:49

2 Answers2

2

There is no practical advantage over single hashing.

Note that MD5 is now considered broken as it is vulnerable to many practical attacks, and algorithms such as SHA1 are not recommended for password hashing.

There are algorithms designed specifically for password hashing, such as PBKDF2. You should use PBKDF2 as your hash - see this question on security.stackexchange.com..

Community
  • 1
  • 1
user253751
  • 57,427
  • 7
  • 48
  • 90
  • 1
    Yes, those algorithms (MD5 and SHA*) are ways too fast for hashing passwords. PHP has built in support for BCrypt, have a look at the function [password_hash()](http://php.net/manual/en/function.password-hash.php). – martinstoeckli Feb 26 '14 at 08:15
0

Use sha2 https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_sha2

mysql> SELECT SHA2('abc', 224);

SHA2() can be considered cryptographically more secure than MD5() or SHA1().

SHA2() was added in MySQL 5.5.5.

zloctb
  • 10,592
  • 8
  • 70
  • 89