1

Can hashing the same variable multiples times using both md5 and sha1, makes the string more difficult to decrypt and increase security?

Can concatenating the MD5 and SHA1 versions of same string and then finally hashing it once more with either password_hash(), help?

Mohit Mishra
  • 33
  • 8
  • 6
    This is "security through obscurity". Don't do it. Use `password_hash` and something like bcrypt (blowfish cipher), which is by default in PHP as of 5.5. – Jeremy Harris Jan 18 '17 at 19:26
  • 2
    technically: yes. but practically: **don't!** use **[password_hash()](http://php.net/manual/en/function.password-hash.php)** also: it's a hash, not an encryption. unless you have a lot of processing power (which attackers have), they are one-way by design. – Franz Gleichmann Jan 18 '17 at 19:26
  • either way you slice and dice it, it still boils down to md5/sha1. So the short answer to this is: no. (my opinion anyway) – Funk Forty Niner Jan 18 '17 at 19:27
  • Plus, it's just going to make it that much more harder (if not impossible) to verify, so think about it for a minute as to how many times you want to find a bovine that's been hashed 50 times and trying to recover some bones from it and to make it look it that again. – Funk Forty Niner Jan 18 '17 at 19:28
  • Sorry @Fred-ii-, my short answer is yes. `md5(md5('admin'))` makes it for rainbow tables a little harder to determine the original string. But on the question if its secure you will receive a big fat **no** from me as well. – Xorifelse Jan 18 '17 at 19:35
  • @Xorifelse no problemo, nonetheless... md5 is still md5 and sha1 is still sha1 any which way you slice it or dice it. Plus, how on earth will they ever compare those back for a match? – Funk Forty Niner Jan 18 '17 at 19:36
  • this question is starting to attract opinion-based answers. – Funk Forty Niner Jan 18 '17 at 19:37
  • *"Can concatenating the MD5 and SHA1 versions of same string and then finally hashing it once more with either MD5 or SHA1, help?"* - about that added edit: why are you insisting on using this and what is it for? and will you even be responding to comments or just "answers"? To which I will not be submitting. – Funk Forty Niner Jan 18 '17 at 19:38
  • @Fred-ii- just want to make the string even hard to understand by the humans, doesn't matters if this technique makes my script a little slow. For Login purposes. – Mohit Mishra Jan 18 '17 at 19:40
  • *"For Login purposes"* - is there a specific reason you're not using what's already "safe"? such as `password_hash()` - @MohitMishra you seem to want to create your own method here, am I correct? and is this db-related also? – Funk Forty Niner Jan 18 '17 at 19:42
  • yes you are correct @Fred-ii- . – Mohit Mishra Jan 18 '17 at 19:43
  • 2
    Ah, I thought so. Well my new answer for this is: just don't. We see questions like these often and it just ends up having too many comments, others argue with one another etc. where it only boils down to "don't roll your own...". Use `password_hash()` and you won't have to spend more time and energy that you've already spent, including much more later on... and to then try and verify that after. @MohitMishra – Funk Forty Niner Jan 18 '17 at 19:45
  • Well, can't we use `password_hash()` multiple times or finalize the string concatenation using this function instead of md5 and sha1? – Mohit Mishra Jan 18 '17 at 19:46
  • you're welcome but ...what do you mean by what you said just above? what are you *really* wanting to do here and why? you need to edit your question as to its true nature. – Funk Forty Niner Jan 18 '17 at 19:47
  • 1
    you don't need need to use `password_hash()` multiple times; you just need to use it once. If you use that multiple times, your verify won't work, believe me when I say this. – Funk Forty Niner Jan 18 '17 at 19:49
  • Okhay.... @Fred-ii- – Mohit Mishra Jan 18 '17 at 19:50
  • @MohitMishra I've my (final) answer for you below. – Funk Forty Niner Jan 18 '17 at 19:54

1 Answers1

1

Can concatenating the MD5 and SHA1 versions of same string and then finally hashing it once more with either password_hash(), help?"

No, just "no". It will only make things worse.

You don't need to use or even should use MD5/SHA1 and password_hash() multiple times and together; you just need to use it once; the "it" being password_hash(). If you use that multiple times, your verification won't work, believe me when I say this.

You'll just be hashing a hash and another and you will NOT be able to verify it in order to match passwords upon verification.

In trying to do this, your method will fail.

You use password_hash() once and your verify it after with password_verify().

References:

"Can hashing the same variable multiples times using both md5 and sha1, makes the string more difficult to decrypt and increase security?"

In regards to using this for password storage, it won't be of much use really, and those (hashing) functions are outdated.

However, this doesn't stop you from using them for something else though; such as a token when sent out to users on account verification. Yet, there are some better methods to do this but is out of scope of the question.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • 3
    You might like to add that `password_hash()` using the default does a 10 times loop hash, and if yuo want more you can get it to do it more times than that, and `password_verify()` will still be able to check for a match – RiggsFolly Jan 18 '17 at 20:03
  • @RiggsFolly You just did *lol* well, given that you don't delete your comment ;-) – Funk Forty Niner Jan 18 '17 at 20:04
  • 2
    In addition to what @Fred-ii- is saying here: make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 18 '17 at 20:18
  • 1
    If you're running an older version of PHP (<5.5) you can include the [compatibility layer](https://github.com/ircmaxell/password_compat) for `password_hash()` and `password_verify()` – Xorifelse Jan 19 '17 at 01:01
  • @Xorifelse Funny you should include that. That thought actually went through my mind earlier as I was writing a comment to the OP, but failed to actually write it out. My keyboard and I sometimes don't see eye to eye; I really need a new one. Thanks for that btw. – Funk Forty Niner Jan 19 '17 at 02:06