Is there any advantage to
sha1(sha1(sha1($password. $salt)));
Basically having multiple sha1 verses just one sha1
sha1($pa
Do not, I repeat, DO NOT attempt to make your password hash safer by doing "special" things do your hash.
First of all, sha1(sha1(sha1($input)))
only has for side effect to increase the chance of collision* on each iteration. Increasing the chance of collisions is a very bad thing.
Instead of trying your hand at do-it-yourself cryptology, why not trust libraries made by actual experts in the field? Use the Portable PHP password hashing framework.
PHPass actually uses bcrypt, which is an algorithm designed to prevent rainbow table, dictionary and brute force attacks. You can initialize it with a number of rounds: the higher the rounds, the longer it takes to compute the hash. That way, you can create stronger hashes if processing power increases.
* The first call to sha1()
takes infinite input and creates one out of 2
160
outputs. The second iteration takes 2
160
inputs and creates one out of x
outputs, where x <= 2
160
. The third iteration takes x
input and creates one out of y
outputs, where y <= x <= 2
160
.
Why does each call to sha1()
reduces the amount of possible outputs? Because the algorithm behind sha1()
was not designed for one-to-one matching of the hashes. Theoretically, you are bound to have collisions if you were to hash every possible hash.