Can I md5(sha1(password))?

Question

I\'m currently coding my own CMS and I\'m at the state of password...

I want to know if I can md5 a password then sha1 it after?

Li

Answer 1

Make sure you add a salt in there too, this makes it much harder to use rainbow tables against your customer's/user's passwords.

Something like:

$hashedPassword = sha1(md5($password) . $salt . sha1($salt . $password));

Where salt can be a nice long random string itself, either constant across your application or a salt per contact which is stored with the user too.

Answer 2

You obviously can. I don't see why you couldn't.

If you want better security you should consider something like phpass.

Answer 3

Yes you can. No it doesn't make sense.

The security of chained hash functions is allways equal to or less than the security of the weakest algorithm.

i.e. md5(sha1($something)) is not more secure, than sha1($something): If you manage to break the sha1, you get the md5 for free, as shat($something) and sha1($faked_something) have the same value, and thus md5ing them will not change anything.

Answer 4

You can md5 any data you'd like, even if it was hashed before.

It will, however, only increase the risk of collisions because you're now working on a smaller dataset.

What are you trying to achieve?

Answer 5

You can do this, but there's no real benefit to it. If you're running your passwords through md5(), you'll get a bit more security from adding a cryptographic salt.

What is SALT and how do I use it? has more info on that.

The other bit of advice you may hear a lot is to not use MD5. SHA1 is comparatively stronger, and you only need to change your password field in your database to accept a 40 character string.