开发者

changing from md5 to sha1,salting

my algorithm looks like this:

$new_password = sha1($salt . $password . $email);

it works good, but Im trying to change to sha1 since ive heard its better but it wont work. Why is that?

register:

//generate a strong 开发者_StackOverflow社区unique salt
$salt = uniqid(mt_rand());

$new_password = sha1($salt . $password . $email);

and then i rehash it when i log in


Are you storing the salt with the hashed password? You need to use the same salt when checking the hash - each user should have their email address, salt and hash stored.


Yes, sha1 is a better hash than md5. Much of the time tho, md5 is good enough... Really, how "insecure" your site is is determined much more by other factors.


You want a constant string for your salt, eg

$salt = "iodized sea salt"

EDIT: The commenters and downvoters here seem not to understand the concept of a salt. Using a constant salt certainly would not defeat the purpose of the salt, which is to make your choice of hashing algorithm ("SHA1 with such-and-such a salt") private. This salt can be long and its choice has more entropy than, say, uniqid(mt_rand()). You can't brute force a long salt any time this side of never. A per-user salt might make you feel better if you're not clear on computer security, but doesn't provide any other benefit.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜