Alternative to sha1 / md5?

As stated in the mysql manual:

So… what do you use/prefer? I mean, mainly for store user passwords and manage user auth.

sha256? or what?



I use sha1 combined with static and dynamic salt to store passwords in db. Both salts are 64 char long.

You can find more about salts here

Whirlpool. 512 bytes.

sha256 + salt

I’ve invented my own :))

(not for share… sorry :) ).

I’m not sure if there’s any safer method than the unknown method. :)

sha256, sha384, sha512, ripemd160, ripemd320, whirlpool

Maybe sha256 is the best compromise between security and performances, I love whirlpool but it’s slower and it takes the double of the space (length is 256 vs 512).

thanks to all for you replies… I think I’ll go for this one ;)

Want to post a couple of links as a reference:

I’m not very convinced about using dynamic salt as if a user is able to read your salt then it is probably able to read the code you used to get the dynamic salt… ::)



Well if you combien this:


$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';

$userPass = 'mickeymouse';

$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';

$tmpPass = $staticKey.$userPass.$dynamicPass;

$finalPass = sha1($tmpPass);


with a comment on php’s website :


function doubleSalt($toHash,$username){

$password = str_split($toHash,(strlen($toHash)/2)+1);


$hash = hash('md5', $username.$password[0].'centerSalt'.$password[1]);

return $hash;



You’ll get something like this:


$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';

$userPass = sha256('mickeymouse');

$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';

$password = str_split($userPass,(strlen($userPass)/2)+1);

$finalPass = sha256($staticKey.$password[0].$dynamicPass.$password[1]);


I like this way better myself.