md5() vs. crypt() vs. sha1()?

Just wondering, which is the best to use use?
Is there any reason to use sha1() over crypt() over md5() ? etc.

According to this:

sha1() is the only one to use.

Okay; I may be asking a dumb question, but what about
running sha1(md5(crypt($var))) ? Logic would have me
believe that thrice hasing the $var will make it stronger?

would also make the var alot bigger and slow down your app

True but in practice MD5 is still more than enough for most applications. All that was proven at CRYPTO is that collisions can be generated in a slightly easier fashion than originally believed.

To be clear, in all hash functions collisions are a given, the question is how often they occur…

And yes, SHA1() is not yet broken but that doesn’t mean it won’t be. I’m personally still using MD5 because I believe the implementation is much faster. This doesn’t really matter on a webapp I suppose…


That does not buy you “three times the strength” – if anything is probably loses a little bit.

All these functions are one-way functions. md5 and sha1 are hash functions meaning they create a hash based on the input. Feeding a hash from one algorithm into another algorithm doesn’t make it any more unique.

If you are worried about someone “reversing” it, that’s impossible. If you are worried about someone finding a collision (the real concern since that’s how you will check passwords) then you’ve done nothing to add to your security mechanism.

In short, just use MD5 or SHA1 but don’t stack 'em.


Thanks :slight_smile: I think I may use sha1(), not sure…

Another way to prevent collisions is to generate a random string of ASCII characters when a user registers and place it in the database:

function makerandstr($num)
    for($i = 1; $i <= $num; $i++)
        $str .= chr(rand(0,254));
    return $str;
$randstr = makerandstr(4);
$password = sha1(sha1($_POST['password']).$randstr);

This can be anything from 2 characters, to 5, 6, or even more. Then, you can do something like this to hash passwords:

$query = mysql_query('do whatever');
$r = mysql_fetch_array($query);
if (sha1(sha1($_POST['password']).$r['randstr']) !== $r['password'])
   die('Password is not correct.');

Note that this is untested and pulled right from my memory (which is not always correct in coding) as I’m at school right now and have no way to test it.

Thanks :slight_smile: I’ll try it out in a little bit.

require_once('Last Entry/rf/class.php');

if (empty($_GET['password'])) {
	echo "Tell us the password!";
	        } else {

function makerandstr($num)
    for($i = 1; $i <= $num; $i++)
        $str .= chr(rand(0,254));
    return $str;
$randstr = makerandstr(10);
$pw = sha1(sha1($_GET['password']).$randstr);

$rest = substr("$pw", 9, 6);

// Connect to MySQL
$db = & new MySQL($host,$dbUser,$dbPass,$dbName);

	// SQL query...
$gdnps = "SELECT pass FROM pw";
$result = $db->query($gdnps);
	while ($row = $result->fetch()) {
	        if (sha1(sha1($_GET['password']).$result['randstr']) != $row['pass']) {
	                echo "Password is not correct";
		} else {
		        echo "Password correct.";

Basic example I made to test it out, but it keeps giving me this error:

Fatal error: Cannot use object of type MySQLResult as array in
E:\xampp\xampp\htdocs\actual\view.php on line 28

At first I thought it was because I missed a pair of single quotes
for the $row[‘pass’] - but I changed that, same thing :frowning:

Any idea? New to using OOP to fetch + using sha1()/md5()/etc.

Blah, call me an old fart but im sticking with md5 :slight_smile:

Only use the function on the register page and then insert it into the database. Then you need to pull the value you inserted in along with the password.

Also, your query is not pulling the randstr field from the database. It’s only pulling the pass field.

Also, Qwest, you may not know, but there is a site that can brute crack md5 hashed passwords if they are not secure (ie, long, with caps, nums etc.). That’s why I’m not going to use md5 any more. Sha1, while not perfect, creates a larger hash than md5, which, I think, would be harder to brute force, especially if you do multiple things other than hashing to the password.

Of the three mentioned, crypt() is actually the weakest because it can be decrypted.

The other two are hashing functions with different functionality from encrypting data. When you hash data it gives you a key that represents the data not the data itself. MD5 will always return a 32 bit hexadecimal key while SHA1 returns a 40 bit hexadecimal key.

When using hashing functions on data, you make the data irretrievable. This is actually good for passwords because it protects them from unscrupulous admins using the software. You can make your hash routines more secure by creating a secondary value to meld with it. This is often referred to as a salt and is randomly generated and stored outside the hash. Some systems use a double salt to hash passwords. The second salt is either generated by the manufacturer such as a unique license key or a passphrase created by the user. The use of salts means that dictionary attacks are less likely which is the most likely form of attack, not collision. Even with collision attacks, the chances are very slim that it will be easy for people to get them. The people creating these collisions are using university networks with a lot of processing power. Even then they don’t know the original data which is what you would require for passwords when they are entered.

Sorry, didn’t post the code for that page. I made a simple one to
fetch the var from $_GET to hash then store into the database,
so get a feel of how to do this. (Never made a “secure” login, so…)

Okay, so make a randstr field as well? Sorry, confused on this end :stuck_out_tongue:
I’ll try it out in abit.

Besides, a the server running a web application would be hammered to death if someone wanted to find a collision in your web application, so they problably wouldn’t even have any chance. This is assuming you have a good host, which will shut down the server if it gets hammered.