Password encryption?

When you save passwords in a database, how much encryption should you use?

$rand = rand(0,9999);
$password = sha1((md5($password)+$rand),CRYPT);

Would something like this be enough encryption?

Ah yer that would be more then enough, in fact it would be too much. How are you going to work out what random number you added to the record?

I usally just go md5($password);

However I've started going sha1($password); and I figure thats enough its one way encryption so it should be hard enough.

I keep hearing people say bad things about using sha1 or md5 alone so I didn't know how far I should actually take it

You could store the random number in the database also .

Use SHA256/SHA2 instead of SHA128/SHA1. SHA1 has security flaws. MD5 is nothing that you should ever use, besides when doing checksums on files.

Originally Posted by echoSwe Use SHA256/SHA2 instead of SHA128/SHA1. SHA1 has security flaws. MD5 is nothing that you should ever use, besides when doing checksums on files.

hm everyone here says, you shouldn't use md5... but why? isn't it secure?

there are many md5 library/ crackers now that you just add the hash and it will find wheat the word is. This generally only works with dictionary words.

I don't know what type of site you're seeking encryption for, but if you're merely trying to avoid storing raw passwords on your average site, using a standard method (such as md5 or sha1) along with salting it with an unknown and random (yet static) string should be more than sufficient. There are obviously numerous stronger methods than I mentioned, but they are also less efficient and thus unless needed, wouldn't exactly be practical.

I just stick with md5(md5($password)) It's pretty simple but can easily bypass most of those library's / crackers he was talkin' about...

If you have the registration timestamp in the database you can do md5(md5($password)+$reg_timestamp)

I've heard that you shouldn't hash a hash. It (supposedly) makes the hash have a greater chance of collisions (which is a bad thing).

So doing md5(md5($p)) is not the best way to do things.

Thats what I have been told, so I'm not to sure what to do.

Originally Posted by unclekyky I've heard that you shouldn't hash a hash. It (supposedly) makes the hash have a greater chance of collisions (which is a bad thing). So doing md5(md5($p)) is not the best way to do things. Thats what I have been told, so I'm not to sure what to do.

I've heard nothing about that, and all the large scripts do it this way. vBulletin itself uses md5(md5($password)+$salt)