Dealing with lack of hashing methods (different php versions - same code)

Question

I'm in the process of developing a CMS system which will run my clients sites, but I've come to a situation I tried to avoid. The hash() function requires PHP >= 5.1.2, and I obviously can't assume that all clients run this, since I won't handle everyones hosting.

Hence, I'm choosing between:

1. Sticking with SHA1 only - less security
2. Using SHA512 when available, otherwise SHA1 - bad compability when it's time for server upgrades
3. Using SHA512 only - forcing the client to upgrade ASAP (bad - not always they can)

I'm appreciating all input!

Answer 1

The hash() function requires PHP >= 5.1.2, and I obviously can't assume that all clients run this, since I won't handle everyones hosting.

Really?!

• PHP 5.2 is out since Nov 2006
• PHP 5.3 is out since June 2009
• PHP 5.4 is out for some weeks now

Running PHP < 5.1.2 means, that it is at least (!) 6 years old and thus a security issue by itself. The question which hash algorithm is more or less secure is not important anymore.

Regarding the question: sha1() (with salt) works fine for most use-cases, unless you write software for the CIA or such. The point is, that even salted md5()-hash isn't worth to get cracked on most sites.

Using SHA512 only - forcing the client to upgrade ASAP (bad - not always they can)

When they deny to update a 6 years old software, they are doomed anyway...

Answer 2

PHP 5.1.2 was released in '06. You can safely put this as requirement to run the CMS. If one of your clients uses 6 years old version of PHP - He'll have problems much worse than incomplience with you system. Just as your CMS won't display well in IE6 wich was the main browser in 2006.