|
|
Posted by Erwin Moller on 09/02/05 17:43
ijsaunders@gmail.com wrote:
> This is correct, never store password in plain text. The above
> suggestion is correct, though I would also put in some random
> characters (segment the string and rebuild it the other end).
>
> Give them a link to log in so that they immediately have to create a
> new password as suggested above. also think about using security
> questions.
>
> perhaps also pass some sort of encrypted username in the link also to
> make the checking function that much quicker to validate. (i.e. select
> where user= (decrypt) and pass=(decrypt).
Hi,
I don't want to ruin this party, but if you safe md5(password) you might as
well store them plaintext.
MD5 has had its best days. :-(
Some really smart Chineese guys came up with an algoritm that produces
INPUTSTRINGS that give the same MD5 hash as the original string.
That effect is called collison:
MD5(StringA) -> blakjhdsafjkh
MD5(StringB) -> blakjhdsafjkh
MD5(StringC) -> blakjhdsafjkh
etc.
They came up with an algoritm that produces some string (StringB and StringC
in the above example) that produce the same hash.
I also read some smart@ss at slashdot improved on this, and now it can be
done on a run-of-the-mill PC in 1 second.
So: effectively MD5 is broken. Do not use it.
Same goes for SHA1 (different problem).
If you are interested, read more on the topic.
Written by the best: Schneier. :-)
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
Regards,
Erwin Moller
Navigation:
[Reply to this message]
|