I've been reading around quite a bit comparing different types of php encryption, and other forms of encryption.

So what would you think is the best type of encryption?(md5, SHA1, SHA2, Md5, Md6).

I've been reading up on that too recently :P
First of, it's not encryption but hashing. Th difference beeing that an encryption have a way to decrypt to recieve the original text, while the whole point of a hash is that it can't (within reasonable time).

Now, a (very) short summary of what I've learned. (Oh, and this is for password storing. Things that I say isn't good may be good for other purposes.)

* md5 sucks, it's not random enough and it's waaay too fast.
* There are a couple of hasing algorithms that are good, the best one beeing bcrypt
* You can use this php implementaion of bcrypt.

I started using it in my scrips yeterday and it's working fine

PHP supports md5 and sha up to 512. MD6 is not supported natively as far as I'm aware and wouldn't be applicable in a lot of cases as it is intended for encryption with very large inputs while utilizing multiple cores efficiently.

All of the encryptions you mentioned with the possible exception of md5 are impractical to crack using brute force, however other more clever means do exist. In short sha512 is more secure than sha1 which is more secure than md5, however I doubt you're going to be experiencing security issues by using sha1 instead of a more robust algorithm.

Just remember to use a salt when encrypting passwords.

Quote:

Originally Posted by lizciz

First of, it's not encryption but hashing. Th difference beeing that an encryption have a way to decrypt to recieve the original text, while the whole point of a hash is that it can't (within reasonable time).

I suppose you could break down the symantics further and claim its not hashing, but cryptographic hashing . A hash function maps a value to an index of a hash table whereas a cryptographic hash function maps a value to a fixed length string.

I agree with your comments regarding md5. I think the inteded use of md5 is for file integrity validation. For password hashing its best to stick to algorithms that are less likely to generate collisions.

Here is the best form of hashing:

PHP Code:

<?php
$password = md5("1234"); // what you want hashing.
$salt = md5("dfgdfg"); // some extra crash to tip the boat.

// Firstly, here are some of the native hashes,
$password = md5(crc32(sha1($password).$salt));

// this will go through all the hashing's available on the system.
foreach (hash_algos() as $algorythm) {
$password = hash($algorythm, $salt . $password)
}

md5($password); // Just to tidy things up.
?>

However, this does assume that the hash_algos() is not updated. It could be worthwhile making a backup of the list if you need to hash something in the future.

Quote:

Originally Posted by rogem002

Here is the best form of hashing:

Lets just hope that another hashing algorithm does not become available at some point or else your strings won't match up.

Honestly I think that method, if used on a large scale, would eat up too much resources for too little an advantage. I'd bet that the resulting hash of that method would be less secure than one from a simpler method such as:

PHP Code:

$password = $_POST['password'];
$salt = 'c%f';
//I usually generate random salts for each user
//and store them in the database

$hash = sha1($salt . sha1($password)); 


Quote:

Originally Posted by NullPointer

Lets just hope that another hashing algorithm does not become available at some point or else your strings won't match up.

Point taken and post updated.

I think overall, use various hashing methods. For example not just sha1, but like
sha1, md5 and various other one combined.

I use an md5 hmac when I want to do secure hashing. It is available in the mhash library, but is easy to reproduce if you don't have mhash available:

PHP Code:

    function hmac($data, $key) {
        $b = 64; // byte length for md5
        if (strlen($key) > $b) {
        $key = pack("H*",md5($key));
        }
        $key  = str_pad($key, $b, chr(0x00));
        $ipad = str_pad('', $b, chr(0x36));
        $opad = str_pad('', $b, chr(0x5c));
        $k_ipad = $key ^ $ipad ;
        $k_opad = $key ^ $opad;
        
        return md5($k_opad . pack("H*",md5($k_ipad . $data)));
    } 


Since an HMAC is a keyed hash, I use this form of hashing for encryption functions. It is supposed to be very strong.

Quote:

Originally Posted by rogem002

Here is the best form of hashing:

PHP Code:

<?php
$password = md5("1234"); // what you want hashing.
$salt = md5("dfgdfg"); // some extra crash to tip the boat.

// Firstly, here are some of the native hashes,
$password = md5(crc32(sha1($password).$salt));

// this will go through all the hashing's available on the system.
foreach (hash_algos() as $algorythm) {
$password = hash($algorythm, $salt . $password)
}

md5($password); // Just to tidy things up.
?>

However, this does assume that the hash_algos() is not updated. It could be worthwhile making a backup of the list if you need to hash something in the future.

There a term for that...and I can't get it...its on the tip of my tounge, a reason why you shouldn't use multiple hash methods (minus the add of salt).

Quote:

Originally Posted by rogem002

I think overall, use various hashing methods. For example not just sha1, but like
sha1, md5 and various other one combined.

I have to disagree. So long as you use a proper salt, the resulting hash is just as secure as one that uses multiple hashes. The only thing that matters is the last hash function you use.

So

PHP Code:

md5($salt . md5( $password )); 


Is equally secure as your method. This is because generating a collision for one hash is just as likely as the other.

For this same reason

PHP Code:

sha1($salt . sha1( $password )); 


is more secure than your method. This is because hashes generated by sha1 are harder to generate collisions for.