Home computickets Which hash method is better than MD5 or SHA-1 for a secure...

Which hash method is better than MD5 or SHA-1 for a secure password?




Which hashing is better MD5 or SHA-1 for a secure password?
For example, such MD5 CODE>$ Password = MD5 ($ password); and I want to change the SHA-1 hashing, you can simply change so $ password = sha1 ($ password); ?

Answer 1, Authority 100%

MD5 and SHA-1 is not encryption methods. These are methods for calculating hash (hash functions). They are not used to “encrypt” password. They are used in order not to store password in general.

In the event that you use a long salt (now you do not use it at all), the “cryptostility” of the hash is almost the same – an attacker who has stolen the base, in any case will have to go through passwords long enough.

Therefore, the main requirement for hash function is the minimum probability of collisions – finding another input string, on which the hash function will give the same result. Because there is always the likelihood that the hash password password coincides with the hash password vfst4s3g5e% #% # GSGFDGB . And when trying to choose a password for the dictionary or Bruthfors attacker letters under a simple password.

This situation is unlikely, but nevertheless – the probability of collisions in SHA-1 is much smaller than in the ancient MD5 . Therefore, the use of SHA-1 or other new algorithms is a more preferred option.

UPD: I specifically did not consider the case when the base is merged, and the bust goes on it. On the modern gland, the full bust is a matter of time. In reality, it affects only those users who do not use two-phase authentication and use the same short password for all sites. In reality, if you have merged the database, that is, only two options:

  • you have merged and all other data, too, and the fusion passwords are smaller that you will be worried. You will not be completely no difference, MD5 or SHA-256 you have been used. Because your main goal is to protect against unauthorized access – the password has not fulfilled.
  • You only have only user data, Weave all passwords and posted in open access . Then you apologize, ask all users to change the password on the link from Email and continue to work as if nothing was.

Answer 2, Authority 31%

Do well here:

http://php.net/manual/ru/function.password- hash.php

$ options = array (
  'Cost' = & gt; 12,
$ hash = password_hash ($ password, password_bcrypt, $ options);

password_hash () creates a random salt in case it has not been specified explicitly, and most often it is the best and safe choice.

Answer 3, Authority 23%

both methods are currently considered hacked and not recommended for use.

If you already have passwords, arrived in MD5, then as you can not do. All existing hashies will be invalid and stop working.
If there is no password yet, then you can not do so too. Use another feature, add salts. And it is better not to invent a bike and find a ready-made solution

Answer 4, Authority 8%

I use Crypt

MB_Substr (Crypt ($ Password, '$ 10 $ Rounds = 1000 $ EA75Sit60CS1B6DC $'), 32);

at the output will be something like

sx6qsclww6dx8dkd / tj8..wcda2dca8azqskxcgb7pw6zy042acqemtzqg5dkoj8wl7wmrnqh4olrhlh0sypp /

Answer 5

It is better to use HMAC-SHA256

Programmers, Start Your Engines!

Why spend time searching for the correct question and then entering your answer when you can find it in a second? That's what CompuTicket is all about! Here you'll find thousands of questions and answers from hundreds of computer languages.

Recent questions