AES encyption: More secure than SHA1?

344675 pts.
Tags:
AES encryption
Encryption
Passwords
SHA1
I know this is more of a curiosity but I wanted to get some expert opinions on this. I recently heard someone recommend stepping up from md5ing (not to SHA1) but to AES encrypting the password, which would use itself as the key. Does anyone have any recommendations on if that would be more or less secure?

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta

    For passwords, SHA-1 hash is usually more useful than an encryption. Encryption has a direct implication of decryption; one-way hashing does not.

    It's been known to cryptanalists for a few years that SHA-1 is "broken". However, you need to understand their definition of "broken" before discarding a method. Most particularly in this case, it means that algorithms have been described that can break hashed values faster than "brute force". It doesn't necessarily mean that anyone today can run the algorithm against a specific, given hash value of an unknown plain-text and actually recover the plain-text from it (in any practical length of time).

    But it's also been known for even longer that SHA-1 isn't really cryptographically appropriate for long-term password storage anyway. Much stronger hashing algorithms have long been known. The perceived attraction of SHA-1 has been on its speed in generating its hash result, not so much in its ultimate security.

    If you need a fast hashing algorithm, SHA-1 works fine. If you need to hash a message to provide a hash digest, it's completely acceptable. It's even generally acceptable for hashing passwords. It just isn't as secure as alternatives.

    And hashing passwords shouldn't rely on absolute speed. You can almost always take a few more milliseconds for a password hash anyway. Essentially no one will ever notice the speed difference.

    But they definitely might notice if a reversible encryption is used.

    Tom

    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following