When writing encryption, it is best practice to hash the password, such that the password cannot be recovered from the data, even if the ciphertext is deciphered by (usually statistical) analysis.
A modification, is to hash the password several thousand times. This assists in making the algorithm hard to brute force.
An informal name for the practice of hashing the password repeatedly, several thousand times, to generate the key, is “key windup.”
The reason for the procedure, is that it might take one twentieth (1/20) of a second to generate the key in this manner, but after that, encryption/decryption can proceed at full throttle. This means that at every human intervention, the time lost is insignificant. However, when an automaton attempts to brute force the same algorithm for some large number of keys, it finds that it can only “try” 20 passwords per second.
While the hashing would be standardized for any given implementation, there is no reason that it must be only sha1 or md5. Any combination of the various available hashes would be agreeable, and some encryption programs offer a drop down menu with a selection of these.
Good standardized hashes include, but are not limited to :
- AES Keccak (sha3)
The trusty (and easy to use) Message Digest 5 is mathematically “broken,” because it is possible to offer a plaintext that digests to a similar value to a digital authority, but as a practical matter, no one can produce a counterfeit document that will pass as an original to a human, that hashes to the same md5 checksum.