I don't feel myself confident about crypto and security
questions, but I need to make password hashing and generating of
session Id. And make it difficult to pick up password with bruto
force or dictional with single "usual" computer. I'm slightly
disappointed that then more I read different articles on IT
forums then less I understand something. And there are several
opposite ideas that stunning me.
1. All security systems, cipher, etc can be hacked If someone
wants it
2. Do not reinvent the wheel. All have been invented already.
3. If you use standart implementation it's high risk than it was
cracked already.
4. Is it really essential to someone tho crack you security.
About md5 I have read that it's already cracked. It's vulnerable
to length extension attack. As I feel SHA 2 is better (but it's
not my opinion - it's just subjective feeling). And may be more
modern algorithm isn't hacked until now. Higher variety of
standart implemented hash algorithms can enable to combine them
in different manner to get not standart implementation of hash.
As I think it can increse security against attacks with rainbow
tables.
I don't know if I rigth or not. The reason why I asked is that
I'm implenenting authentication on site written in D. So I want
to make password hash generation function enough secure to forget
about it for ~5 years or more. Because there only a litle of hash
functions implemented in std.digest and they are not so strong by
security reasons. It makes it not very useful.
P.S. Sorry for my English.
