[Giovanni D.]

As stated in the mysql manual:

Quote

Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead.

So.. what do you use/prefer? I mean, mainly for store user passwords and manage user auth.

sha256? or what?

bye,
Giovanni.

[sidewinder]

I use sha1 combined with static and dynamic salt to store passwords in db. Both salts are 64 char long.
You can find more about salts here

[pestaa]

Whirlpool. 512 bytes.

[sebi]

sha256 + salt

[Nemoden]

I've invented my own
(not for share... sorry ).

[pestaa]

WebShark, on 15 August 2009 - 11:38 AM, said:

I've invented my own

I'm not sure if there's any safer method than the unknown method.

[ekerazha]

sha256, sha384, sha512, ripemd160, ripemd320, whirlpool

Maybe sha256 is the best compromise between security and performances, I love whirlpool but it's slower and it takes the double of the space (length is 256 vs 512).

[Giovanni D.]

sebi, on 14 August 2009 - 10:47 PM, said:

sha256 + salt

thanks to all for you replies.. I think I'll go for this one

Want to post a couple of links as a reference:
http://www.wobito.ca...ords-using-salt
http://www.php.net/m....hash-algos.php
http://www.php.net/m...nction.hash.php


I'm not very convinced about using dynamic salt as if a user is able to read your salt then it is probably able to read the code you used to get the dynamic salt..

bye,
Giovanni.

[Yarrgh]

Well if you combien this:

<?
$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';
$userPass = 'mickeymouse';
$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';
$tmpPass = $staticKey.$userPass.$dynamicPass;
$finalPass = sha1($tmpPass);
?>

with a comment on php's website :

<?php

function doubleSalt($toHash,$username){
$password = str_split($toHash,(strlen($toHash)/2)+1);
var_dump($password);
$hash = hash('md5', $username.$password[0].'centerSalt'.$password[1]);
return $hash;
}

?> 

You'll get something like this:

<?php

$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';
$userPass = sha256('mickeymouse');
$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';

$password = str_split($userPass,(strlen($userPass)/2)+1);

$finalPass = sha256($staticKey.$password[0].$dynamicPass.$password[1]);

?>

I like this way better myself.