Encryption Types

I was just wondering what all the web admins out there use for hashing in their databases. I personally use a grouping dependent on what I am doing.

For passwords I generally use SHA512 If I just want to make the data hashed and it will be seldom used I will sometimes use whirlpool If it will be a high traffic site, I will cut back and use SHA256 for the password hashing.

What about all of you…let me know…

0952050105a10802e1815436fbcbd2ee1e2597d44e2dd0ecc7ba18c2c8856fb9589f65b5ac18b2cd13050c915337dc2d8a51c30d3978aa86ffc6e7ef7ebdfb99

I haven't made anything that has required recently but I've used SHA-1 earlier. Although if I were to code anything today, I would probably also use one of the SHA-2 hashing algorithms. Of course with a good salt.

What you think that SHA512 without a salt will be brute forced any time in the near future?

AldarHawk wrote: What you think that SHA512 without a salt will be brute forced any time in the near future?

Yes.

Did you see the formula of increasing processor speed? Now mix that with a botnet…

Yes, yes, yes.

just pick a password md5 it once, take the first 10 numbers, add the first 3 letters of the username and you got a very neat encryption

1337h4cker wrote: just pick a password md5 it once, take the first 10 numbers, add the first 3 letters of the username and you got a very neat encryption

No, not really.

1337h4cker wrote: just pick a password md5 it once, take the first 10 numbers, add the first 3 letters of the username and you got a very neat encryption

Wow, you just raised the number of possible collisions from -22 to 500,000.

Approximately. Give or take a few dashes and underscores.

spyware wrote: Yes. Did you see the formula of increasing processor speed? Now mix that with a botnet… Yes, yes, yes.

Okay, so if I get you right, in the near future (less than 5 years) a 128 bit hashing algorithm will be in the same state as MD5? Very doubtful. I know hashing pretty well spy(as I know you well enough ;)) and I would say it will be at least 10 years before SHA512 is at that point. I do not care how fast the processor is. MD5 takes ages to crack a password and SHA512 takes much longer to process a hashing than MD5 (in terms of cycles) so no matter what you think this will not happen anytime in the near future. But The one yes I do agree with is hashed passwords should be salted anyways, just dependant on what salt you wish to use ;)

A simple salt could be hash( 'crc32', $username ); that way you get a small salt (8 characters) and then you salt the password with that and you will then reduce the chance of collisions by a lot. but again I am sure someone would find a flaw in even this ;)