Mark Rajcok wrote:
Thanks, I didn't realize I was just hashing, not really encrypting. I'll switch. What would you recommend instead? Crypt::PasswdMD5? and randomly generate a salt each time I write the encrypted password to the database?
Using a random (or pseudo-random) salt will defeat rainbow tables. Not only does it make the password "longer" and less feasible for a rainbow table (the tables grow exponentially as the number of characters in the pw grows) but it means that 2 people with the same password will actually have different MD5 hashes.
At this point no one has broken MD5 (you can create MD5 collisions if you know what you're doing, but this doesn't mean you can reverse an MD5 hash). But everyone also agrees that SHA1 is more secure than MD5. Although at this point it doesn't matter which one you chose because your hashing algorithm is not going to be your weakest link.
-- Michael Peters Plus Three, LP ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
