bruticus,
MD5 and SHA1 are hash functions and they can’t be “decrypted” or inverted. A hash function is deterministic and creates a fixed-length output string from a variable-length input string. You can feed mega- or gigabytes of data into e.g. SHA1 and it will still output a 160-bit (20-byte) hash value. If SHA1 could be inverted, just imagine the data compression capabilities! An MP3 song would take 20 bytes… I could fit 20 billion songs on my iPod! W00t!
Since MD5 uses 128 bit hash values, the risk of two different passwords accidentally matching is one in 2^128. SHA1 uses 160 bits. For perspective, the “risk” of you winning at Lotto is something like one to 2^27. ??
Don’t store the clear-text password in the database, just calculate the hash value once and store the hash in the database. When the user tries to authenticate, he sends the hash value of the password he just entered, and you can compare it to the one in the database. If the hash values match, it is exceedingly likely that the user has entered the correct password.
Would there be any chance of you posting your work as-is somewhere? I’d be really interested in looking at it!
–Martin
