Alternative to sha1 / md5?

As stated in the mysql manual:

So… what do you use/prefer? I mean, mainly for store user passwords and manage user auth.

sha256? or what?

bye,

Giovanni.

I use sha1 combined with static and dynamic salt to store passwords in db. Both salts are 64 char long.

You can find more about salts here

Whirlpool. 512 bytes.

sha256 + salt

I’ve invented my own :))

(not for share… sorry :) ).

I’m not sure if there’s any safer method than the unknown method. :)

sha256, sha384, sha512, ripemd160, ripemd320, whirlpool

Maybe sha256 is the best compromise between security and performances, I love whirlpool but it’s slower and it takes the double of the space (length is 256 vs 512).

thanks to all for you replies… I think I’ll go for this one ;)

Want to post a couple of links as a reference:

http://www.wobito.ca/php-encrypt-passwords-using-salt

http://www.php.net/manual/en/function.hash-algos.php

http://www.php.net/manual/en/function.hash.php

I’m not very convinced about using dynamic salt as if a user is able to read your salt then it is probably able to read the code you used to get the dynamic salt… ::)

bye,

Giovanni.

Well if you combien this:


<?

$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';

$userPass = 'mickeymouse';

$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';

$tmpPass = $staticKey.$userPass.$dynamicPass;

$finalPass = sha1($tmpPass);

?>

with a comment on php’s website :




<?php


function doubleSalt($toHash,$username){

$password = str_split($toHash,(strlen($toHash)/2)+1);

var_dump($password);

$hash = hash('md5', $username.$password[0].'centerSalt'.$password[1]);

return $hash;

}


?> 

You’ll get something like this:




<?php


$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';

$userPass = sha256('mickeymouse');

$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';


$password = str_split($userPass,(strlen($userPass)/2)+1);


$finalPass = sha256($staticKey.$password[0].$dynamicPass.$password[1]);


?>

I like this way better myself.