Using MD5 and SHA-1 Separately
January 7, 2008 – 9:00 amThere are already so many people using so many different combinations of MD5 and SHA-1 to protect sensitive data in games as well as elsewhere. Different methods are used, such as salting, multiple stages of encryption, etc.
I have an idea of going one step further in encrypting data. It’s not so complicated as some other methods I’ve seen, but I don’t know how effective this would be in practice, and I haven’t found any similar experiments in my search on Google, so I’ll just post it here and hear your thoughts on it.
My idea is to use both MD5 and SHA-1 separately, and saving two different hashes. Let’s say we were encrypting a password. Then we would have two columns in our database, called `password_md5` and `password_sha1`. These are the passwords encrypted using the two methods. Whether or not the password is salted or not is your choice, so long as the data parameters of the MD5 and SHA-1 functions are the same. When somebody logs in, you will need to make to comparisons to make sure that both hashes of the password (+salt) are correct.
The reason for doing this is that, if somebody were to find a collision for one hash, I think it would be highly unlikely (and maybe impossible) for that same collision to have the correct hash for the other encryption technique. I don’t really know the inner workings of MD5 and SHA-1, but I am guessing that they both work very differently, enough for this to be true.
Couple this method with salting and it should be quite secure. Of course, you could use the same principle of using two hashes, except with just one encryption technique. Instead, you could vary the salt used instead. The underlying principle is still the same.
I hope I explained that well enough for you to understand 
I’d also like some feedback and thoughts on this. Can you think of any disadvantages or weaknesses? Or do you think that this will be a complete failure?
2 Responses to “Using MD5 and SHA-1 Separately”
This method would not increase security in any way.
Firstly, if someone could get 1 hash then they must be able to get the other aswell. Seeing as you would use both hashes whenever checking the password and if there was sql injection vulnerabilitys then someone could find out all fields and their data.
They only need to enter 1 password. One which will match against both md5 and sha1. So if someone was trying to bruteforce a password (without a salt) then they could do it for either the md5 or sha1, they wouldnt need to do both. md5 hash collisions are very rare.
I think just using md5 OR sha1 with a salt will suffice. That’s the most you can do. The real concern would be why would they be able to get the password hash in the first place. Security on the server would have to be improved to protect the has further.
Just my thoughts.
By David Jordan on Jan 25, 2008