| If SHA1 isn't good enough for you, use | If you would get access to a database that stores plain md5-hashes, it would be trivial for you to enter the hash for the admin to such a service, and log in |
|---|---|
| So, if someone with good enough a memory would see that hash and know that it's the hash of an empty string | The idea of a salt is to throw the hashing results off balance, so to say |
All popular hashes are fixed-length.
| but be sure that you can generate this hashed password in the future when you need to authorize user | |
|---|---|
| It is known, for example, that the MD5-hash of an empty string is d41d8cd98f00b204e9800998ecf8427e | it is the best way to safe our clients passwords |
By using a salt any salt , you're preventing the use of a generic to attack your hashes some people have even had success using Google as a sort of rainbow table by searching for the hash.
| Ps for last 2 steps you can use your own algorithm | |
|---|---|
| What I'm trying to say, that it's better to use any salt, than not to |