01-21-2014, 08:09 AM
Your algorithm is nothing more than security through obscurity.
Immediate issues identified:
Please do not try to invent your own algorithm. just use password_hash() if you're using PHP 5 >= 5.5.0, or crypt() with CRYPT_BLOWFISH or Openwall phpass if using an older version of PHP.
And if you are truly interested in improving upon the state of the art, then I would recommend checking out the password hashing competition.
Immediate issues identified:
- You're using a "global salt", so it isn't really a salt at all -- it's just a shared secret, which is no longer a secret if the site is compromised. the real salt in your algorithm is the username. so the "salt" adds no additional security whatsoever.
- An attacker does not need to compute both the sha1 and the md5. they can simply grab the first & last 32 characters from each hash, and crack them all as straight salted md5. this would only provide a 2x slowdown since you would have duplicate salts.
- Your algorithm leaks information about the password length. so i can split the hash list into e.g. md5_left and md5_right, and only try even-length passwords on md5_left, and odd-length passwords on md5_right. for brute force attacks, this provides a 2x speedup, negating the 2x slowdown we gained in #2.
Please do not try to invent your own algorithm. just use password_hash() if you're using PHP 5 >= 5.5.0, or crypt() with CRYPT_BLOWFISH or Openwall phpass if using an older version of PHP.
And if you are truly interested in improving upon the state of the art, then I would recommend checking out the password hashing competition.