Many people states that for encrypting sensitive information such as a password, SHA-1 will be a better choice as compared to MD5, because it is harder to crack.
However, how many of you agree with this? Why is a SHA-1 hash harder to crack as compared to a MD5 hash? Just because the hash is longer? I am doubting this, because if you use a brute force attack, the time required to crack either hash is the same, since all the brute force attack tool does is try every single possible password combination and hash it with either algorithm, and compare with the target hash.
Any comments?
A longer hash value means more possibilities which means much less likely to find a collision hash. Which is what I think they meant by ‘harder to crack.’
A correction first. Neither SHA1 nor MD5 encrypt your data. They both hash the data. There’s a difference between hashing & encrypting.
Encrypted data can be recovered by reversing the encryption process & using the right key. But hashed data cannot be recovered. It can be called as one way encryption.
Now as for SHA1 being better than MD5.
Well, you see, MD5 is 128 bit algorithm while SHA1 is 160bit. So even if you don’t know the intricasies of bits here, even if you have a general idea as to what does that mean, you can safely guess why SHA1 is better than MD5. 
There’s one in 2^128 chances to get a similar/duplicate hash using MD5 & there’s one in 2^160 chances to get a repeat/duplicate hash using SHA1. So you can guess very well which is more secure.
Some similar threads started here in past are
http://www.sitepoint.com/forums/showthread.php?t=98702&highlight=MD5
http://www.sitepoint.com/forums/showthread.php?t=108380&highlight=MD5
I’m totally unsure if my calculation is correct. Just a thought:
If say, there are a total of 2^128 (or 16^32) possible MD5 hashes, that means it is possible for 2^128 strings to generate unique hashes, right?
Well, case sensitivity matters for MD5, so if I do not count characters like "
", "\ " and so on, there are 94 possible characters that MD5 can hash (26 alphabets x 2 due to case, 10 numbers, and 32 punctuations).
If that’s the case, it means that you can have a plaintext of up to 19 characters that will definitely generate unique hashes. Once your input starts to get longer than 19 characters, clashes will occur.
I think it’s 19 because 94^19 is a little close to 2^128.
Is my calculation correct? Or totally crap?
Basically, it would take longer to figure out a SHA-1 hash than it would to figure out a MD5 hash. However, the odds of either happening are very low. I think it is just a matter of what you feel like using.
yeah, it all depends on what you use. Since both are free to use & SHA1 is better than MD5, you should go with SHA1 unless you have a strong reason to go with MD5.