Say I am hashing a password but want something that is not only fast but also secure. md5 and SHA are the popular ones but there is also haval and tiger to name a few. Should a user use a less used hashing method as well?
So what is the ideal hash for speed and security for storing passwords in your eyes?
As with most of these type of posers, it’s all down to the implementation. For instance, hashing the character ‘a’ as a password is easily looked up (via Rainbow Tables). In comparison, hashing say the users supplied password, a user specific value (for instance db id) and system specific (static) value with the same algorithm would be more than sufficient.
<?php
$sql = sprintf(
"SELECT id FROM user WHERE username = '%s' AND fingerprint = SHA1(CONCAT(id, '%s')",
$username,
$this->config->get('super-secret-key') . $this->input->post->get('password')
);
?>
So basically pick one and be sure to put a nice salt in it then? At the PHP manual there is a table of the speed so that should also be taken into consideration right?
Speed and security are mutually exclusive. The reason that more secure algorithms are slower is because they’re performing more operations to obfuscate the content. Additionally, if your algorithm is implemented correctly, the most effective way to determine the password is brute forcing, which means that the attacker will need to attempt many hashes before finding the correct one; as a result, slower means that each attempt will take more time, thus increasing the total time before determining the password. This is good. I personally prefer to use the Whirlpool algorithm, as the name is easy to remember. I wouldn’t use anything personally which is faster than SHA512.
As for your question about salting: you should actually salt every iteration of your hashing algorithm for maximum security. In psuedo-code:
Disclaimer: It’s Monday morning, and there’s a nagging part of my brain which thinks that there’s an issue with the code I posted, so if anyone can correct me, I’d greatly appreciate it. The fundamental principle should be sound, however.