Return to Answer

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

• Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

• As Zaph mentioned, Schneiers Law is a relevant issue here.

• If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash...

• what if your salt contains the / character? What if your password contains the / character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

• Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

• As Zaph mentioned, Schneiers Law is a relevant issue here.

• If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash...

• what if your salt contains the / character? What if your password contains the / character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

• Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

• As Zaph mentioned, Schneiers Law is a relevant issue here.

• If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash...

• what if your salt contains the \ character? What if your password contains the \ character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

• Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

• As Zaph mentioned, Schneiers Law is a relevant issue here.

• If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash...

• what if your salt contains the / character? What if your password contains the / character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

• Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

• As Zaph mentioned, Schneiers Law is a relevant issue here.

• If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash... what if your salt contains the \ character? What if your password contains the \ character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

• Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

• As Zaph mentioned, Schneiers Law is a relevant issue here.

• If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash... 

• what if your salt contains the \ character? What if your password contains the \ character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.