Alternative to sha1 / md5?

As stated in the mysql manual:

So… what do you use/prefer? I mean, mainly for store user passwords and manage user auth.

sha256? or what?

bye,

Giovanni.

I use sha1 combined with static and dynamic salt to store passwords in db. Both salts are 64 char long.

You can find more about salts here

Whirlpool. 512 bytes.

sha256 + salt

I’ve invented my own

(not for share… sorry ).

I’m not sure if there’s any safer method than the unknown method.

sha256, sha384, sha512, ripemd160, ripemd320, whirlpool

Maybe sha256 is the best compromise between security and performances, I love whirlpool but it’s slower and it takes the double of the space (length is 256 vs 512).

thanks to all for you replies… I think I’ll go for this one

Want to post a couple of links as a reference:

http://www.wobito.ca/php-encrypt-passwords-using-salt

http://www.php.net/manual/en/function.hash-algos.php

http://www.php.net/manual/en/function.hash.php

I’m not very convinced about using dynamic salt as if a user is able to read your salt then it is probably able to read the code you used to get the dynamic salt…

bye,

Giovanni.

Well if you combien this:

<?

$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';

$userPass = 'mickeymouse';

$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';

$tmpPass = $staticKey.$userPass.$dynamicPass;

$finalPass = sha1($tmpPass);

?>

with a comment on php’s website :

<?php


function doubleSalt($toHash,$username){

$password = str_split($toHash,(strlen($toHash)/2)+1);

var_dump($password);

$hash = hash('md5', $username.$password[0].'centerSalt'.$password[1]);

return $hash;

}


?> 

You’ll get something like this:

<?php


$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';

$userPass = sha256('mickeymouse');

$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';


$password = str_split($userPass,(strlen($userPass)/2)+1);


$finalPass = sha256($staticKey.$password[0].$dynamicPass.$password[1]);


?>

I like this way better myself.