I was wondering to hash the password in PHP using different methods available and the combination of them for more and more security. I was wondering if this would work..?
$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);
Nope. Combinations do not add any security.
Actually you made it less secure. Theoretically, but anyway.
I have a feeling that hashing issues are way overestimated.
Nobody concerns in any other security issue but everyone anxious to make a hash unbreakable in a billion years. Relax, buddy. There are thousands other ways to break your app.
I guess adding a salt is enough, but if you want more maybe do:
sha1($salt. sha1($salt. $pass));
and let $salt contain some non-printed chars, arbitrary binary data or anything like that.
Again, I guess this won't add much since implementation I saw only add $salt, but why not more security for the coming ages : )
Rather than that, you can use a stronger hashing algorithm like sha512 with combination of a strong salt and UserID: Do it like this:
echo hash('sha512', 'MyPassword' . $StrongSalt . $UserID);
SHA512 is actually SHA-2 for which there are no collisions found. See at wikipedia.
Your passwords will most likely, never be 100% secure.
Try looking at a nonce. Which should be generated for each individual user.
IF you are going to do this, don't just MD5 the result:
$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$pass = sha1($pass.$salt);
$pass = md5($pass);
Instead, run md5 on the result and the inputs...
$pass = "***";
$salt = "!@)#%%@(#&@_!R151";
$tmp = sha1($pass.$salt);
$pass = md5($tmp . $pass . $salt);
The reason is that if you do md5(sha1()), you're basically increasing the chances of collision. The reason is that all sha1 collisions would automatically be collisions in the md5 call (hence it's a superset of the collisions). By re-entering the password and salt, you're preventing that from happening, and hence creating a "stronger" hash rather than a weaker one...