> hash. The reason straight hashes like that aren't stored in
> password tables is because they're vulnerable to dictionary
> attacks, aided by techniques such as rainbow tables (I'm
> mentioning that term so that you have something to search for
> if you're interested). Hence, hashes are normally mixed up a
> bit more via the inclusion of some random salt.
An additional reason not to use unsalted MD5s: if more than one
person uses the same password, they all show up with the same
hashed value. I have to deal with this in one of my hand-me-down
legacy databases where an abundance of users have
import md5
print md5.md5('password').hexdigest()
# 5f4dcc3b5aa765d61d8327deb882cf99
as their password.
So knowing one of them, you now know the password to all of the
accounts with the same MD5
Whereas, if it's salted:
for salt in range(5):
print "%s:%s" % (salt,
md5.md5('%s:%s' % (salt, password)).hexdigest()
)
yields
0:a6502bff257c94a50d96d730ff230ccc
1:4e13c8afaecb2fc48e4432e52324d05f
2:e9e0cb7d82f6191cdd1e1a69ed22b53d
3:58b857974c98e96f33de642acf1b40f2
so there's no easy way to tell that each of these are the same
password.
-tim
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
