> > So you might find your hash in the rainbow > > tables, but the original string still might not match. > > True, but in most cases where a hash is used, it doesn't > matter; all you need is some string that results in the > same hash. That'd be typical for a password system, for > instance.
One way to make hashes a LITTLE more secure is to use a "private" string when doing the initial hash as well as the comparison hash (say, at log in). Essentially taking their password and appending something else to it that only the system knows. This way if someone gets your hash value it makes it that much more difficult to figure out what the original value was from the user's end since there was another "key" involved as well that they would need to know. Granted, if the hash value shows up in one of these rainbow tables they can still break the account, but there is still no way of knowing what the ACTUAL original value was. FWIW, the hacker may break the account but will be unlikely to be able to take the password they "reversed" and use it somewhere else. ----------------------------------- Justin D. Scott Vice President Sceiron Interactive, Inc. www.sceiron.com [EMAIL PROTECTED] 941.378.5341 - office 941.320.2402 - mobile 941.870.5626 - facsimile ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206010 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54