[eluser]Adam Griffiths[/eluser]
[quote author="Dam1an" date="1242492799"][quote author="Dregond Rahl" date="1242492579"]there is alot of argument over what should be used now days MD5 is now crackable, and SHA1 is taking a lead, but as we know bcrypt and PHPpass are becoming more significant. Not to mention bruteforce attacks. Its crazy a world.[/quote]
The reason MD5 is considred to be so insecure, is that rainbow tables are easily available (a rainbow table has the MD% hashed value of pretty much every combination between 1 and X characters)
SHA1 being 40 bytes means more possible combinations, so its more effort to do it then MD5 but still doable.
I just hash using SHA1 and salt (and hash again)[/quote]
You really shouldn't hash twice. It's more secure to hash a password with a salt, than to hash it again. This is because the second hash is from a hash of a set size, 32 with MD5, so it's more easily crackable. Whereas when you have a password in a salted hash it's much harder to get the cleartext because passwords can be any length and so can the salt so the hash is likely to be very different.