Possible Duplicate:
Secure hash and salt for PHP passwords
Is this a secure way to encrypt the passwords to store in a mysql database:
md5(sha1($password))
Thanks.
Asked
Active
Viewed 1,573 times
3
-
10no, you should salt it, and double hashing is no benefit. – Mar 07 '11 at 21:07
-
2Short answer : use phpass ( http://www.openwall.com/phpass/ ). It does everything right by default : salting, using bcrypt, key strengthening. – Artefact2 Mar 07 '11 at 21:08
-
1@Dagon: I'm going to partially disagree with you on this. If the database is stolen and none of the code is available to the hacker, then having chained hash functions (regardless if it's the same one multiple times or different functions) would make it considerably more difficult to determine the original plaintext. First the attacker would have to find a method to determine which hash algorithms were chained in what manner, and if/when they do, the brute-force process would take longer due to greater computational complexity. – Mr. Llama Mar 07 '11 at 22:18
-
depends of the attack type, they would have to already have the db, for double hashing to make any difference, and then is probably game over, if they are bruit forcing then the only advantages is a slight speed slow down. To often people come up with something like this and ignore the other million ways some one can compromise a site. – Mar 07 '11 at 23:27
2 Answers
6
What you are doing here is hashing, not encrypting.
Hashing has the purpose of not storing the password itself in the database, so that if the database is stolen the attacker will not gain knowledge of all user passwords.
Hashing should be used in conjunction with salting the hashes, because otherwise it will be relatively easy for an attacker who has gained access to the database to crack the weak passwords stored there.
Also, hashing the same input twice (as your example does with md5 and sha1) does not offer any significant benefit.
