Posted by Otto Allmendinger on 09/28/13 11:17

simon wrote:

> He was asking about passwords. Almost every site that is md5() only
> compare the hash as they cannot compare the string.
> So, technically, given a hash key you can get a string. In turn that
> string would match the hash and give you access.

I don't quite agree. If the hash isn't generated by the string itsself, but
by a slightly alternated version of it, like md5(string.'extra'), the
attacker would find a string y with md5(y)==hash, but not one with
md5(y.'extra')==hash.
I think this is a very simple way to make a authentication routine more
secure.

• Next in forum: Re: md5 encryption
• Prev in forum: Re: register_long_arrays still show off ?
• Thread view: Re: md5 encryption

[Reply to this message]