Home/ Questions/Q 5956927
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T18:19:40+00:00

i’m testing several combinations of sha1 and md5: <?php $test = ‘fail test’; echo

  • 0

i’m testing several combinations of sha1 and md5:

<?php
$test = 'fail test';
echo nl2br ("Text: $test\n");
echo nl2br ("md5: ".md5($test)."\nsha1: ".sha1($test)."\nsha1(md5): ".sha1(md5($test))."\nmd5(sha1): ".md5(sha1($test)));
?>

Output:

Text: fail test
md5: 748410d0085967c496d54dd8fcbecc96
sha1: d730125e8cb8576459173655148fb6896ef44c09
sha1(md5): faa3ebeecfec45e509e93e6b245a69e2a78785ea
md5(sha1): b48e89b85c350c91eb302c1de96d4249

Which one better, or maybe user something else ? If yes, what then ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Hashing a hash adds no extra security. (In fact, it might make it worse if the person has a hash-of-hash lookup table.)

    The best hash will be the one that is computationally the most expensive to perform without any vulnerabilities. I would hash passwords with at least sha-256.

    Always hash your passwords with a salted key. This key should be unique per password. It doesn’t need to be stored privately. The purpose of a salted password is that the hacker who gained access to your database cannot simply compare the hash with a known list of hashes that correspond to common passwords. Instead, he must try to brute force the password by trying every possible password.

    By using a unique salt per password, you guarantee that each hash in the database is different, even if they use the same password.

    To salt a password, simply create a random string of characters and append it to the password. Here’s a sample hash with a 48-bit salt and sha-256:

    function make_password($password)
{
  # random 48-bit salt (8 chars when base64 encoded)
  $salt = base64_encode(pack('S3', mt_rand(0,0xffff), mt_rand(0,0xffff), mt_rand(0, 0xffff)));

  return $salt.hash('sha256', $salt.$password);
}

function check_password($password, $hash)
{
  $salt = substr($hash, 0, 8);
  return hash('sha256', $salt.$password) == substr($hash, 8);
}

$password = 'password';
$hash = make_password('password');

echo $hash."\n";

var_dump(check_password('password', $hash));
var_dump(check_password('wrong', $hash));

    Every time you run it, the hash will be different. To validate a password, you select the row where the username matches, and then call check_password($password_from_user, $hash_from_db).

    Here’s a sample output:

    AzrD1jZzc693714a43ad5dfd4106c0a620ef23ff9915070711fa170a6670b8164862b496
bool(true)
bool(false)

    You can use a larger salt or a stronger hashing algorithm if you prefer. But at minimum, I would use something like the above.

    • 0