问题
I'm currently coding my own CMS and I'm at the state of password...
I want to know if I can md5 a password then sha1 it after?
Like:
$password = md5(sha1(mysql_real_escape_string($_POST['passw'])));
回答1:
You can md5 any data you'd like, even if it was hashed before.
It will, however, only increase the risk of collisions because you're now working on a smaller dataset.
What are you trying to achieve?
回答2:
Yes you can. No it doesn't make sense.
The security of chained hash functions is allways equal to or less than the security of the weakest algorithm.
i.e. md5(sha1($something)) is not more secure, than sha1($something): If you manage to break the sha1, you get the md5 for free, as shat($something) and sha1($faked_something) have the same value, and thus md5ing them will not change anything.
回答3:
Make sure you add a salt in there too, this makes it much harder to use rainbow tables against your customer's/user's passwords.
Something like:
$hashedPassword = sha1(md5($password) . $salt . sha1($salt . $password));
Where salt can be a nice long random string itself, either constant across your application or a salt per contact which is stored with the user too.
回答4:
You obviously can. I don't see why you couldn't.
If you want better security you should consider something like phpass.
回答5:
You can do this, but there's no real benefit to it. If you're running your passwords through md5(), you'll get a bit more security from adding a cryptographic salt.
What is SALT and how do I use it? has more info on that.
The other bit of advice you may hear a lot is to not use MD5. SHA1 is comparatively stronger, and you only need to change your password field in your database to accept a 40 character string.
来源:https://stackoverflow.com/questions/9143101/can-i-md5sha1password