changing from md5 to sha1,salting
my algorithm looks like this:
$new_password = sha1($salt . $password . $email);
it works good, but Im trying to change to sha1 since ive heard its better but it wont work. Why is that?
register:
//generate a strong 开发者_StackOverflow社区unique salt
$salt = uniqid(mt_rand());
$new_password = sha1($salt . $password . $email);
and then i rehash it when i log in
Are you storing the salt with the hashed password? You need to use the same salt when checking the hash - each user should have their email address, salt and hash stored.
Yes, sha1 is a better hash than md5. Much of the time tho, md5 is good enough... Really, how "insecure" your site is is determined much more by other factors.
You want a constant string for your salt, eg
$salt = "iodized sea salt"
EDIT: The commenters and downvoters here seem not to understand the concept of a salt. Using a constant salt certainly would not defeat the purpose of the salt, which is to make your choice of hashing algorithm ("SHA1 with such-and-such a salt") private. This salt can be long and its choice has more entropy than, say, uniqid(mt_rand()). You can't brute force a long salt any time this side of never. A per-user salt might make you feel better if you're not clear on computer security, but doesn't provide any other benefit.
精彩评论