PHP security: sha1 or hash

lauthiamkok · October 9, 2010, 6:57pm

Hi,

After knowing that hashing a password is my choice for making a login form. Now I am facing another issue - sha1 or hash?

This is a standard method using salt I think I got it from a reference book of mine,

# create a salt using the current timestamp
    $salt = time();
    	
    # encrypt the password and salt with SHA1
    $usr_password = sha1($usr_password.$salt);

but then after I have done some research on sha1, it was told it may not be so secure in the future, suggesting using hash().

But I don’t quite understand using hash() - for instance -

$usr_password = hash('sha256', $usr_password);

what is that ‘sha256’ or ‘sha512’ which I found it here?

can I put anything instead, like ‘@123’?

why is it called salt anyway - $salt = time(); is nothing else but just a unix timestamp isn’t??

thanks!

felgall · October 9, 2010, 8:51pm

It’s called a salt because it is something that you add at the last minute in the same way you might add salt to a meal just before eating it.

hash allows you to choose which hashing algorithm to use and so you can use either sha256 or sha512 instead of sha1 by using it. Which you choose is basically a compromise between the level of security and the amount of data you are going to store since to make it a small fraction more secure it generates a much larger value.

sha1 is 160 bits whereas sha256 and sha512 are 256 and 512 bits respectively making them 60% and 220% bigger.

lauthiamkok · October 9, 2010, 9:40pm

thank you. now I know why!

thanks for this explaination. I will go for sha2 then!