Which hashing is better MD5
or SHA-1
for a secure password?
For example, such MD5
CODE>$ Password = MD5 ($ password);
and I want to change the SHA-1
hashing, you can simply change so $ password = sha1 ($ password);
?
Answer 1, Authority 100%
MD5
and SHA-1
is not encryption methods. These are methods for calculating hash (hash functions). They are not used to “encrypt” password. They are used in order not to store password in general.
In the event that you use a long salt (now you do not use it at all), the “cryptostility” of the hash is almost the same – an attacker who has stolen the base, in any case will have to go through passwords long enough.
Therefore, the main requirement for hash function is the minimum probability of collisions – finding another input string, on which the hash function will give the same result. Because there is always the likelihood that the hash password password
coincides with the hash password vfst4s3g5e% #% # GSGFDGB
. And when trying to choose a password for the dictionary or Bruthfors attacker letters under a simple password.
This situation is unlikely, but nevertheless – the probability of collisions in SHA-1
is much smaller than in the ancient MD5
. Therefore, the use of SHA-1
or other new algorithms is a more preferred option.
UPD: I specifically did not consider the case when the base is merged, and the bust goes on it. On the modern gland, the full bust is a matter of time. In reality, it affects only those users who do not use two-phase authentication and use the same short password for all sites. In reality, if you have merged the database, that is, only two options:
- you have merged and all other data, too, and the fusion passwords are smaller that you will be worried. You will not be completely no difference,
MD5
orSHA-256
you have been used. Because your main goal is to protect against unauthorized access – the password has not fulfilled. - You only have only user data, Weave all passwords and posted in open access . Then you apologize, ask all users to change the password on the link from Email and continue to work as if nothing was.
Answer 2, Authority 31%
Do well here:
http://php.net/manual/ru/function.password- hash.php
$ options = array (
'Cost' = & gt; 12,
);
$ hash = password_hash ($ password, password_bcrypt, $ options);
password_hash ()
creates a random salt in case it has not been specified explicitly, and most often it is the best and safe choice.
Answer 3, Authority 23%
both methods are currently considered hacked and not recommended for use.
If you already have passwords, arrived in MD5, then as you can not do. All existing hashies will be invalid and stop working.
If there is no password yet, then you can not do so too. Use another feature, add salts. And it is better not to invent a bike and find a ready-made solution
Answer 4, Authority 8%
I use Crypt
MB_Substr (Crypt ($ Password, '$ 10 $ Rounds = 1000 $ EA75Sit60CS1B6DC $'), 32);
at the output will be something like
sx6qsclww6dx8dkd / tj8..wcda2dca8azqskxcgb7pw6zy042acqemtzqg5dkoj8wl7wmrnqh4olrhlh0sypp /
Answer 5
It is better to use HMAC-SHA256