It`s possible to break a sha1(md5('password')) password?

Question

This is the question: It`s possible to break a sha1(md5('password')) password ?

Or how it`s better md5 in sha1 or sha1 in md5 ?

Thanks!

Answer 1

multiple hashing doesnt further secure your password. just use a secure, salted hash.

check out http://php.net/hash

Answer 2

Wrapping the hashing functions inside each other isn't going to make your hashes any more secure. A rainbow table could still be constructed to allow an attacker to read a large number of passwords in your database.

This is assuming of course that they have access to your code, but they probably do since by this stage they have access to your database.

Answer 3

md5 will get you a 32 characters string.
sha1 will get you a 40 characters srings.

But, in both cases, those strings will only contain hexadecimal characters, which means only 16 possible values for each position : 0-9 and a-f

I don't think using md5+sha1 (no matter in which order you call those) is such a good idea : using only one of those on your password will probably be safer.

Just consider :

• You can have, say, at least 8 characters in your password
• Each of those 8 characters can be a letter (upper or lower case), a number, a special character ; which means at least something like 75 possibilities for each position

Don't you think that would make more possible combinations than 32 hexadecimal characters ?

Just use one hashing function, and salt your password.

Answer 4

According to Wikipedia's MD5 article:

"The security of the MD5 hash function is severely compromised."

So adding MD5 to a SHA1 is not gonna make your thing more secure. I would even say that hashing an already hashed thing is not gonna make it more secure either.

A common mechanism that many people use for storing passwords is a salt encription over a hashed string.

Answer 5

Since no one answered the original question: Yes, it is possible.

As to the second question: md5(sha1('password')) will actually reduce security compared to just using sha1 because the hash size will be reduced. And the other way around doesn't help either.

Always use salting!

Answer 6

Using two hashes does not make your algorithm safe; hashing once, using the best (with more bits) algorithm AND adding some salt does. For example:

sha1('This is some salt' . $string . 'othersalt')

This is much safer against rainbow tables. I mean: not completely safe, as the attacker could build a rainbow table, but it is safer because common rainbow tables won't work. Also notice that both algorithms have been cracked: I strongly suggest you to use SHA-2, e.g. sha-128 or sha-256. They still haven't been broken.
Last thing: always salt hashes against rainbow tables. Always use the best hashes: SHA-3 is coming, you may want to use it.