sha1 usage

[jimfog]

besides using sha1 when entering passwords in a database where else it might be used? Is it usual to use is also with user names-when inserting them in a database?

[birbal]

sha1 is nothing but an algorithm of hashing, so it can be used anywhere where you will need to hash something. hash is one way encrypting where you cant retreive the original source (theoretically). hash widely used in password encryption,session,http based authentication etc.

Is it usual to use is also with user names-when inserting them in a database?

it is not usual.once hashed you cant get back the username from there. Edited June 25, 2012 by birbal

[divinedesigns1]

so how would you retrieve the password if the person forgot their password? isnt there a way to unencrypted the sha1?

[birbal]

This is the purpose for hashing so no one can decrypt back to original source. You dont send password to the user. you will let them a chance to change them. like sending them email. sending plain text for forget password is security risk.

[divinedesigns1]

okie, so basically they just going to have to recreate the password, but if you have a personal cms and you forgot the password how would you change that if its encrypted with sha-1/md5, etc?

[Guest So Called]

For lost password you don't send them their password. Remember, it's hashed. Nobody can get the hashed password back. You send them a new, temporary password. They login and then they can set a new password to whatever they want.

[justsomeguy]

but if you have a personal cms and you forgot the password how would you change that if its encrypted with sha-1/md5

Figure out how the password was hashed, hash your new password the same way, and update the database. If you need to recover the password then you need to use encryption instead of hashing.

[Guest So Called]

Passwords are traditionally hashed (and usually salted to increase their complexity) so that if the database is compromised the hacker will not be able to reverse engineer the passwords. It is too often the case that in spite of being warned most people still use one password for many sites, and often their email too, which would permit a hacker to take over their entire identity. Multiply that by dozens or hundreds of people registered to a forum or social site. Hashing is a first line defense to protect against that. I've never seen a forum send the current password as a response to lost password retrieval. What I always see is the forum sends a temporary password to the last valid email address. The member receives the email, then uses the temporary password to login and create a new permanent password.

[jimfog]

So from all the hashing function out there which you would choose for storing passwords in the database? Which is the more secure?

[birbal]

its change time after time as more proccessing power will have to the pc it will be the chances to crack will be increase.sha1is ok.better will be sha2 family,blowfish,whirlpool. dont use MD family ever like jsg already said.http://www.kellermansoftware.com/t-articlestrongesthash.aspx check out the chart at bottom of the page thy are not function actualy they are algorithms. some of them has dedicated functions like md5() for rest of algorith you have to use hash() or crypt()

[jimfog]

... dont use MD family ever like jsg already said.

The question is here, then, Is there any case/scenario where I would need to get back the password, so as to use encryption? A case in web development as we know it today. I saw the article and the author does not mention the case of salted MD5, considered by many much more secure thatplain MD5. Edited June 28, 2012 by jimfog

[birbal]

i don't think you will need to get back your users password in any case so thus you don't need to use encryption to store password. The whole idea of password hashing is for one way encryption so that no one can easily get back your passwords if your database has been compromised by attacker. You don't need to get back password. if you later plan to change your hashing algorithm you can force your user to change password by changing the password by cron jobs and sending it to them by email. if you admin want to change user password they can use same hash algorithm to hash the password and update the field.

[justsomeguy]

The question is here, then, Is there any case/scenario where I would need to get back the password, so as to use encryption?

That's a question for you to answer, based on how you want your software to work. Some systems encrypt their passwords so that they can send them to the user, other systems use hashing and send the user a link to click on where they can change their password.

I saw the article and the author does not mention the case of salted MD5, considered by many much more secure that plain MD5.

Salted anything is better than unsalted, but again, why would you use salted MD5 when you can use salted SHA-512 instead? You may want to look into this to help base your password policies on: http://www.openwall.com/phpass/

if you later plan to change your hashing algorithm you can force your user to change password by changing the password by cron jobs and sending it to them by email.

Another option would be to have a field where you store the password version. You could start at version 1 and if you want to change your hashing algorithm then you can have your password checking code implement a version 2 algorithm. When someone logs in then it would check which password version they're using and use the appropriate algorithm to check their password, and if they're not using the current version then it would re-hash the password with the current version, update the hash in the database, and update the version number for them. They would never see anything change, there wouldn't be any interactivity required on their part other than logging in normally and their password would stay the same.

[Monckey100]

I'm surprised no one mentioned this but you can use sha1 to compare file sizes and even do some sort of spider crawl on your site to compare for duplicate images.also if you sha1 the users, usernames then you wouldn't be able to do simple calls like "Welcome Monckey100!, settings, about" Etc