Using MD5 on top of SHA512 does not improve security; if it does anything, it weakens it by reducing the search space of possible MD5 hashes (instead of being an MD5 of any possible string, the hash could only be that of an SHA1 hash). Ditto for those other MD5(SHA1(....)) combos.
If you must make it shorter, do it without destroying bits and so increasing the chances of a collision being found. Something like base64_encode(hash('sha512', $value, true)). If you want fewer bits in your hash you'd be better off using a hash that generates fewer bits in the first place.
Of course, using SHA512 to hash something that isn't 512 bits long to begin with is questionable: if people are going to pick stupid passwords that contain only 50 bits' worth of entropy to begin with then no amount of hashing is going to create more than 50 bits' worth of hash.
madwormer2 wrote:But in conjunction would be nearly a millionfold more time consuming.
No; brute-forcing SHA1(MD5()) would only be twice as time-consuming as brute-forcing MD5() - and not even that if you use a pre-existing hash lookup table for the MD5s.
That's a speed difference so negligible it can be beaten by waiting a few months and buying a new computer.
greenie2600 wrote:But a cracker would have to gain access to the PHP code that generates the hash before they'd know what the algorithm was.
But we're already assuming that they've got ahold of the hash somehow....
After all, md5 hashes are hexadecimal,
No, they're 128 bits; hexadecimal is just their most common representation because it's friendlier to text-based protocols.
People who cobble together things like in the original post in the expectation that such activities make the things more secure remind me of people who look at their prescription from the doctor and reason "if 50mL three times a day is good, then 100mL three times a day must be better..."