Speed of encryption

[PH-ZTaylor]

I was wondering, instead of using thousands upon thousands of SHA1() rounds, why not use a different cipher method that is more resistant to cryptanalysis attacks, and less computationally expensive, such as whirlpool.

[harzem]

The repetition is not related to being resistant against cryptanalysis attacks. The repetition is aiming to make rainbow tables or brute force attacks infeasible. Being "computationally expensive" was the main purpose here. We benchmarked some servers to determine an acceptable speed. If today's servers were faster, we would use 128,000 rounds instead of 32,000 to make it even more computationally expensive.

One other consideration was the availability of SHA1 on most server applications, including PHP.

[PH-ZTaylor]

I thought that the brute force attack feasibility was based upon the length of the hash secret, as opposed to the repetition.  In this case, http://www.fraudrecord.com/security.php gives us the secret, which definitely decreases the time it would take to bruteforce, as the secret is known.

[harzem]

There is no "hash secret". Hashing is not done via an encryption key. There is no way to include any secrecy in a system like this. There is a salt, specifically "fraudrecord-", but it is impossible to use a secret salt. It must be universal across all the companies, modules and codes using FraudRecord.

The only way to increase strength is increasing the number of repetition, regardless of the salt or hashing algorithm. We took the best course of action available.