MD5 (Re: [prog] web authentication)
Benjamin A'Lee
lists at benalee.co.uk
Thu Nov 10 13:17:56 EST 2005
On Thu, 2005-11-10 at 09:39 +1100, Mary wrote:
> On Wed, Nov 09, 2005, Caroline Johnston wrote:
> > I want a reasonably secure login system for a web-app and I'm not quite
> > sure how to set it up. I had a bit of a google and I reckon I can send a
> > random number to the browser and MD5 the number with the password
> > client-side
>
> MD5 is not recommended for security use anymore: the ability to generate
> collisions is too good. See http://en.wikipedia.org/wiki/MD5
>
> Current thinking seems to be that there's a little while left in the the
> SHA-* hashes.
One suggestion I've heard is to store both an MD5 hash and a SHA1 hash
(or any two different hashes) - even if a collision is found on one
algorithm the chances are ridiculously small that it'll also be a
collision on the other algorithm. Then if the supplied password doesn't
match both of the stored passwords you can reject it.
I've never gotten around to implementing this yet though, or even
looking into it more to see whether it's worthwhile.
Ben
--
Termisoc Tech Officer: <http://termisoc.org/>
My Homepage: <http://benalee.co.uk/>
"He that breaks a thing to find out what it is has left the path of
wisdom." - J.R.R. Tolkien
More information about the Programming
mailing list