sha1/md5 with salt

1st of all i would clarify that this is not a help or question related thread. It’s just opinion based thread, where every one can suggest/advise his/her own idea.
There are many ways to hash a password, salt is the most talking about to use with sha1 or md5. I have this sample example, and would let the reader decide which method is the best and if any ideas to improve it are welcomed OR if anyone got new way to secure a password.

$pass = 'somestring'; // password
$salt = '}#f4ga~g%7hjg4&j(7mk?/!bj30ab-wi=6^7-$^R9F|GK5J#E6WT;IO[JN'; // random string

$hash = md5($pass); // md5 hash #1
$hash_md5 = md5($salt.$pass); // md5 hash with salt #2
$hash_md5_double = md5(sha1($salt.$pass)); // md5 hash with salt & sha1 #3
$hash1 = sha1($pass); // sha1 hash #4
$hash1_sha1 = sha1($salt.$pass); // sha1 hash with salt #5
$hash1_sha1_double = sha1(md5($salt.$pass)); // sha1 hash with salt & md5 #6

// echo now
echo 'Original Password: '.$pass.'<br><br>';
echo 'Original Salt: '.$salt.'<br><br>';
echo 'MD5: '.$hash.'<br><br>';
echo 'MD5 with Salt: '.$hash_md5.'<br><br>';
echo 'MD5 with Salt & Sha1: '.$hash_md5_double.'<br><br>';
echo 'Sha1: '.$hash1.'<br><br>';
echo 'Sha1 with Salt: '.$hash1_sha1.'<br><br>';
echo 'Sha1 with Salt & MD5: '.$hash1_sha1_double.'<br><br>';  

In above, which one would you choose from #1 to #6.

Ideas and improvement are welcomed.

Either 2 or 5 depending on which hashing algorithm you decide to use.

That way someone with access to the server who can view the hashed passwords for the same person on multiple sites is unable to tell what either password is and whether or not they are the same.

Not using a salt means that they can tell if the passwords are the same because it is unlikely that the same person would use two different passwords that generate the same hash.

Using anything more than a salted hash is overkill as the process only serves to hide the password from those with access to the server and just hashing is enough to do that.

Thanks Stephen J Chapman.
I would also go for that either #2 or #5. But will choose #5.

I have another idea, if lets say the server stops working and not serving PHP pages. So in this case it will show the $salt itself on the page it is.
So for this, i thought to create another PHP file (salt.php) and include it in the login.php like this:

$salt = '}#f4ga~g%7hjg4&j(7mk?/!bj30ab-wi=6^7-$^R9F|GK5J#E6WT;IO[JN'; // random string

And then in login.php:

echo sha1($pass.$salt);

salt.php will be some where in the root dir listings, which can be not known to user. So s/he will just see the login.php page and not the salt random string.

This is just my idea to improve it. :slight_smile:

The way to improve it is to make sure that the database is properly secured so that no one other than yourself and those in the data centre can access the raw content of the database. Apart from those people the hashing of the password serves no purpose since they are the only ones who will be able to see it. Using a salt even if known is enough to prevent those in the data centre using a rainbow table to find a value to use as the password and also to stop their identifying if the same password is used by the same person on different accounts.

Whatever you do to the password beyond using a salted hash is like adding a draught excluder under your door while all the thieves are looking at how to climb in through the windows.

I’m more inclinded to do…should randomly generate a new salt for each user.

$data = 'somerandom password';
$salt  = 'someranfom saltstring';

$hash = hash( 'whirlpool', $data, $salt );