For those wishing to increase the computational cost of brute-forcing their password hashes by iterating the hash command multiple times, but don't want to increase the risk of a hash collision, simply re-append the password to the hash each iteration.
$iterations = 10;
$hash = crypt($password,$salt);
for ($i = 0; $i < $iterations; ++$i)
$hash = crypt($hash . $password,$salt);
This, of course, can be used with md5(), sha1(), etc. as well as crypt().
Some other recommendations:
- Use the highest number of iterations possible without introducing a significantly noticeable delay to authenticating users, or causing more CPU use than your host will allow.
- Use a unique salt for each user, ideally a random one.
- Use a salt of at least 24 bytes, especially if you're using a weaker algorithm like MD5 or SHA-1.