-1

I want to make a website with a login system.

Which hashing method should I use?

I used to hash my website's passwords with md5() but everyone said I should not use it.

Why not?

How can md5 get cracked?

Abela
  • 1,225
  • 3
  • 19
  • 42
Doruk Ayar
  • 334
  • 1
  • 4
  • 17
  • http://stackoverflow.com/questions/2948156/algorithm-complexity-security-md5-or-sha1 – Kitson88 Nov 16 '16 at 11:11
  • 8
    @VikasUmrao - No! Salting is an improvement; but sha1 is as flawed as md5. Use PHP's built-in [password_hash()](http://www.php.net/manual/en/function.password-hash.php)/[password_verify()](http://www.php.net/manual/en/function.password-verify.php) functions – Mark Baker Nov 16 '16 at 11:14
  • `How can md5 get cracked?` google: MD5 Rainbow Tables and sha1 is more komplex and always use salts. @Mark has the right answer. – JustOnUnderMillions Nov 16 '16 at 11:18
  • Had you Google'd your question's title, you would have seen this being on top of the found list: http://security.stackexchange.com/questions/19906/is-md5-considered-insecure along with a few more relevant links following it. This question showed no effort. – Funk Forty Niner Nov 16 '16 at 12:20
  • @Harikrishnan The answer you linked to is not an appropriate answer to this question, the question is more about password hashing than MD5 vs SHA1, neither are the correct solution for password hashing. – zaph Nov 16 '16 at 12:40
  • @zaph I can reopen and reclose with http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords if you feel that is more appropriate as a possible duplicate. Or, find one and paste the link in here that you may feel to be the better dupe. Or http://stackoverflow.com/questions/36763335/using-md5-and-password-hash-function-when-storing-in-database – Funk Forty Niner Nov 16 '16 at 13:09
  • @zaph I made a slight edit to my comment above (reload it to see) and added another link. Do you rather the first or the second one? – Funk Forty Niner Nov 16 '16 at 13:12
  • Probably the first answer, the second is more about migrating. The issue is to use password_hash/password_verify in PHP. IOW a computationally expensive iterating hash. – zaph Nov 16 '16 at 13:14
  • @zaph It has been done, *cheers* – Funk Forty Niner Nov 16 '16 at 13:15

1 Answers1

4

Please reference the documentation on Password Hashing for why you should not use md5() and please reference the password_hash() documentation on what you should use.

Abela
  • 1,225
  • 3
  • 19
  • 42