I’ve been trying to improve my password hashing class for a CMS I’m currently building as a personal project. I originally used md5 without salt, then switched to md5salt+md5, then to sha1salt+sha1 and now I’ve moved over to sha512salt+sha512.

I was thinking about adding an iteration loop onto the hashing procedure also. My question is this… Am I going totally over the top with this? Or should I do it anyway as it doesn’t really cost much development time. I do intend to release the system eventually and want it to be as scalable as possible so I guess with the iteration, it could slow the login procedure down too much.

I’m just a little confused as whether to stop at what I’ve got now (sha512salt+sha512) or possibly backstep to sha1 and use a smaller salt?

Does anybody have any experience with creating such classes and also, what hashing procedure did they finally settle on? I’ve heard about bcrypt but couldnt find any php examples on this.

Thanks in advance,
Drew

Edit…

Reason for md5 hash – obvious.

Reason for sha1 – wanted more security as md5 is the lowest of the low.

Reason for sha512 – I read a few things suggesting sha1 is broken and can be concidered weak.

…Maybe the last step was unneeded?

Also, what is the accepted method or generating a random salt… just a simple 4 byte rand() Would converting this 4 byte hash to a sha hash make any difference at all?

Thanks