Jump to content
MakeWebGames

Moving away from MD5


PHPDevil

Recommended Posts

For obvious reasons, ive moved away from MD5. I just had some questions.

What I am using now is:

 

   $hash =  hash('ripemd160' , $pass1);

 

As far as im concerned, there hasn't been a issue with ripemd160....I hope!

I was wondering, I wanted to add a salt for a better piece of mind....looked at the manual for php hash function but it doesn't show how i can implement it in the parameters.

So my question is how would I achieve this and what is the use of MD5 nowadays

Link to comment
Share on other sites

if you want to have a different salt for each user you could use something like the below

$hash =  hash('ripemd160' , $ir['salt'].$pass1);

If you dont want to have a new field you can use the id, username, email or any other user field that dosent change from registering.

or you can use the same salt for everyone and use something like

$salt='tv7f59r6ti';
$hash =  hash('ripemd160' , $salt.$pass1);
Link to comment
Share on other sites

Before you go ahead, I'd like to point you to a proper article regarding password hashing, the wrongs, goods & bads.

http://crackstation.net/hashing-security.htm

And, to give some quote's to those lazy ones.

 

There are a lot of conflicting ideas and misconceptions on how to do password hashing properly, probably due to the abundance of misinformation on the web. Password hashing is one of those things that's so simple, but yet so many people get wrong. With this page, I hope to explain not only the correct way to do it, but why it should be done that way.

 

The most common salt implementation errors are reusing the same salt in multiple hashes, or using a salt that is too short

Which is the case here, where you will be re-using the salt.

Now, because you are using ripeMD-160, a hashing algorithm that's very quick to generate. You could run through 1 million hashes very quickly, thus it is better to implement a hashing algorithm that take's some time to create. You can take "bcrypt" for example, or "PBKDF2".

You can find a PHP implementation of PBKDF2 here

And i would suggest going to PHPASS, as it implements blowfish cryptography.

What I'd like to point out tho, is that ripemd160, has got a lookup table floating around already.

 

ripeMD160 1,493,677,782 16 GB

Thats 16GB of ripeMD-160 hashes.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...