php MD5中的密码散列

Question

Can anyone tell me whats wrong with this?

function hashmyshit($pass){

        for ( $i = 0; $i < 1000; $i++ ){
            MD5($pass);
        }
        return $pass;
}

and how to iterate a password hashing process many times.

Answer 1

You should use :

$pass = md5($pass);

instead of

MD5($pass);

But in fact, what do you want to achieve? Why do you want do md5 many times on strings that md5 was already done? What's the purpose? If you simply want to safely encrypt password you should choose user better encryption method using password_hash() function.

Using the same encrypt function many times may even cause that it's easier attacker to get into your system, so you shouldn't do such things.

Answer 2

Accordingly if you want to hash the password a 1000 times then you can do like this:

function hashmyshit($pass){
    $password = $pass;
    for ( $i = 0; $i < 1000; $i++ ){
        $password = md5($password);
    }
    return $password;
}

Previously you were trying to hash the same $pass a 1000 times. But as @Marcin Nabiałek said this is not the appropriate method to secure the passwords, you should use in-built encryption.

Answer 3

I would strongly refrain from using MD5, due to the many cryptographic weaknesses found in the algorithm and for other obvious reasons which Philipp is kind enough to elaborate on in the following post ;

https://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function

Try BCrypt Instead

Andrew Moore explains in this post how to use bcrypt for hashing passwords in PHP?

How do you use bcrypt for hashing passwords in PHP?