Hello, Ok well this tutorial will teach you how to encrypt data in Sha1 using a function called Sha1() ... wonder were they got the name . Ok well Lets begin

First off sha1, turns any words no matter how long into a 32 character key. Ok so you would set a basic sha1 statment like this:

That code will turn the variable encrypt into a 32 char key. Ok well lets get a little trickier using this in an SQL query.

Ok well after you set that in great...now how do you get the info out? well um... Idk
haha ok well the script to gain information is obvious, but yet some might look past it because of that

yup thats it... basicly thats all there really is to know about sha1(); its a great encrypter and not widely used so its harder to crack, however if you are stubborn and want to use md5, substitute the sha1() function for the md5() function, thats all there is to it .
Ok well if anyone was able to follow that, I hope you learned something...this was my first tutorial so I hope you can gain some knowledge off of it.

for more information on US Secure Hash Algorythm 1: http://www.faqs.org/rfcs/rfc3174

I couldn't find where that was, I was going to go in detail with it...to late

It is not really ok to say encryption using sha1 , or md5... because this are one-way encryption or hashing.
You cannot encrypt and than decrypt using this

shoudnt this:



be:

That golly-gee might help! I want MY un-protected passwords entered:D!

Thanks for sharing that tutorial, it's suprising how many functions there are available in php.

I believe over 10000 w/o modules that are made by other companies (ie, pear, zend framework)

What´s best to use - Sha1 og MD5?

It's actually not widely used for a good reason, not because it's harder to crack (because its easier). Read the articles below for more info on sha1 and md5.

http://www.schneier.com/blog/archives/2005...analysis_o.html
http://it.slashdot.org/article.pl?sid=05/1...&tid=93&tid=228

Even if it is easier, there are still many more people who just believe that most websites are encrypted in md5 which isn't true..but is there a way to tell them apart?? It all looks like crap to me

The length of the encrypted string. md5() returns a shorter string then sha1(), and if i'm right, the length of the strings they return is always the same... but that's just a guess.

The lenght for all md5/sha1 hashes is the same, it's even so that 2 completely different sentences or pieces of text may have the same hash!

YAY! Encyriptions.

Bring some more encyriptions please on here.

Now, to add to my collection md5 and sha1.

Good tutorial but is it actually safe to use?

Well, i suggest using MD5 and not SHA1. Also, you shouldn't never check passwords directly in the MySQL query. You should first load the member data using the member id then validate the password against it in PHP, not MySQL. It's safer this way (just like you should never validate both username and password at the same time either, huge risk there).

Ok, well, i just have to problems left.

You should never store an unencrypted password. Apart from the several various other reasons i'm saying this, those 2 lines should be more like this one line:

And then Theres a slight parse error:

You're missing a ") before the semi-colon.


Safer than base64_encode()

rc69: what about something like?



or is that overkill?

I've never been a fan of "seeds." I don't really see a point in one. They basically have to be static in order to function correctly (different per user, but still static), in which case, a hacker gets the seed automatically appended to his "guess."

But i don't know much about hacking. I do know sha1 is suseptable to brute-force attacks, but md5 isn't. So i guess that would be one way of doing it. Another would be to append the sha1 encryption to the md5 one.

Yes, it would result in a long encryption. But i dare somebody to find 2 strings that create the same output with that

I always find a safe way to do this is:



It starts inwards to outwards, so md5 the password, sha1 that hash, md5 that hash, then md5 it again.

Not true, sha1 returns a 40 character key, md5 returns 32. I wonder why nobody corrected this earlier?

I thought my way was overkill. That method goes beyond overkill into a realm of it's own. Not to mention it's a performance nightmare. It might not matter with only 50 users a day, but, depending on what else you have in your code, that would seriously slow it down.


Lol, i never know how many characters where in a sha1 string. I knew it was more than 32, but i wasn't paying attention

Actually it doesn't slow it down at all, md5 and sha1 is just like any other php function, it's an instant function so it doesn't slow the script down, maybe apart from by 0.01 seconds.

It doesn't matter whether it is built-in or custom. Any call to a function slows things down. Built-in functions just have a tendancy to be faster than custom functions.

Here's a slight twist on rc's idea of md5($pass).sha1($pass)

I like his idea of keeping it simple but wanted to add a little twist to it.

sv1(), nice

I see you still haven't compensated for md5 being about 8 characters shorter than sha1 yet though. Is that intentional?

Personally, i've never liked having to add those two together. It's secure, but if you get a large database of passwords, then it shorta gets cumbersome. If i were to use your method, i would simply set the condition to $i < 16; (32/2 results in string of 32 characters). The only potential problem with that is a greater chance of cross-overs with passwords (different word, same encryption). I hate finishing out my thought process sometimes...

yeah, i just left the last 6 characters as they were


what are the chances of the 2 words having the same encryption with 2 different methods and being blended together though?

With the full length of 60+ characters? One in a million^2. With only 32 characters, one in a million.

with the release of http://www.undosha1.com/ many passwords can be unhashed pretty quick now

Well, the first thing that popped out to me and bit me on the nose, was that where you're setting the variable to secure, is that supposed to be a constant or a string? If someone were to copy and paste that code then a PHP error would ensue.

Moreover, I'd like to see some mention of client-side hashing and HTTPS if Javascript is disabled. Also, there's no mention of cryptography salts - which would make such sites as Kristopher mentioned useless. These are all key issues, whereas I'm sure everybody knows how to use SHA1!

MD5, SHA1 and SHA256 etc are all designed for speed, the faster the weaker, if you want something more secure but slower then go for Bcrypt, google it.

The attacker/hacker really cares a lot if password tests take twice as long. If one password test takes twice as long, the total password cracking time takes twice as long.