passwording...which is better?

moonbrat

Okay my little script is 98% done, but I'd like to know, which is better to use for password encryption: sha1 or md5? At the moment I don't use any (which is bad) because I'm only writing my script before a complete testing...

I'm not exactly sure which is the best one to use or what the difference is, as alot of people use md5.

I'd like to know before I use an encryption in my script for my passwords, so I can choose the best one...well, the hardest to hack.

Thanks.
Moonbrat.

dougal85

I've always used md5...

However, After a quick google... It seems that md5 makes a 128 bit string and sha1 makes 160 bit string.

This makes me thing ska1 is probably more secure but it would also mean its slower to process.

I'm going to research this actually, It's something I've not consedered for a while, when i started using md5 I just thought it was the be-all and end-all, then didnt think about it for a year or so... until now :bemused:

NogDog

Probably much more important than which of those two methods to use is to enforce strong passwords. If you require that users use at least one each of upper-case letters, lower-case letters, numbers, and possibly some set of special characters; then the possible variations that a cracking program would have to attempt increases by several orders of magnitude over weak passwords (the weakest being all lower-case letters), and rendering dictionary lookups of md5/sha1 hashes of words virtually useless.

dougal85

I guess thats true because afterall nobody should even see the md5/sha1 hash to try and crack it.

Silly me for not thinking that.

NogDog

dougal85 wrote:
I guess thats true because afterall nobody should even see the md5/sha1 hash to try and crack it.

Silly me for not thinking that.

Well, the idea of hashing (a.k.a. encrypting) the values with md5 or sha1 is so that if someone does get access to the users table in the database, they won't automatically know what password to type. But they could copy the data, then try to find out what the passwords are either by sheer brute force: comparing md5 and/or sha1 hashes on every possible character combination until they get a match; or by using a ready-made look-up table of common words/passwords and their resulting md5 (and/or sha1) hashes.

So, by enforcing strong passwords, you make it more difficult both for people who simply try to guess a password, and to make the cracking task much more complex for someone who does somehow get hold of the password data. But this latter aspect is a "last line of defence"; it would be best that nobody ever gets that far, which means carefully protecting your database login passwords (and making sure that they are particularly "strong" passwords) and controlling who has access to all passwords associated with your site (login, FTP, etc. as well as database).