Is md5 the best way to scramble your passwords? I have been reading that it can be breached?

yes. MD5 is not currently decryptable.
This:

Password Is:
<?php
$hash = "something"; //equal to md5("correct password") I don't have a server on hand... cant make a hash
if (md5($_POST['pass']) == $hash) {
echo "Correct";
} else {
echo "Incorrect";
} ?>
Would be an example of how to use hashes.

Also, if someone got a hold of the DB output, then they couldn't login becaus they dont know the string that created the hash.

Not breakable, no, but there are several problems with collisions, where, given a certain hash, it's possible to generate other strings that will cause that same hash, so they could still log in.

It's better than nothing still, but people are starting to move towards SHA-1 (sha1() function in PHP).

I have been using a scramble function which was created, is this no where near as safe as using SHA-1 or md5?

Unless you're a military-class professional cryptographer or very, very lucky, I sincerely doubt it :)

I just read this on php.net



Note that the sha1 algorithm has been compromised and is no longer being used by government agencies.

As of PHP 5.1.2 a new set of hashing functions are available.

http://www.php.net/manual/en/function.hash.php

The new function hash() supports a new range of hashing methods.

echo hash('sha256', 'The quick brown fox jumped over the lazy dog.');

It is recommended that developers start to future proof their applications by using the stronger sha-2, hashing methods such as sha256, sha384, sha512 or better.

As of PHP 5.1.2 hash_algos() returns an array of system specific or registered hashing algorithms methods that are available to PHP.

print_r(hash_algos()); Should I steer clear of sha1?

Oh, I didn't know that. Yes, use SHA-256 then. I really should keep up with cryptography news.

It is true that some md5 inputs have the same hash generated, but people should write their scripts smarter, not just using the latest encryption methods.


Password Is:
<?php
$hash = "md5($correct_password)";
$appendedhash = "md5($correct_password."fixed string")";
if ((md5($_POST['pass']) == $hash) && (md5($_POST['pass']."fixed string") == $appendedhash)) {
echo "Correct";
} else {
echo "Incorrect";
} ?>

This almost eliminates the possibility of someone stumbling upon a password with the same hash, AND the same appended hash.

I hope im making sense...

Yes, it does help, but if the database is compromised it makes sense to assume that the filesystem is compromised too, so it's quite likely that the attacker will have access to this appended string already. It's good for the off-chance that the attacker has database access but not filesystem, though.