2015-10-30 16:39 GMT+01:00 Jonas Maebe <jonas.ma...@elis.ugent.be>: > > Frederic Da Vitoria wrote on Fri, 30 Oct 2015: > > Do you really need to compare them or simply to validate them? I ask >> because in one project I worked on for an insurance company, we were >> forbidden to store the passwords. We stored only a kind of checksum for >> them. With something like CRC32 or even a higher resolution algorithm, you >> > > Never ever use CRC32 in a crypto context, it's completely unsuited and > easily cracked. The subject of this thread is already about finding an > implementation for scrypt, which is a (at this time considered) secure > hashing algorithm. >
My point is precisely that in this situation, there would be nothing to crypt. Just check validity. So use CRC64 if you want (the size difference won't probably be relevant by current standards), but don't store the actual password. What isn't there can't be cracked, not even with future technology :-) -- Frederic Da Vitoria (davitof) Membre de l'April - « promouvoir et défendre le logiciel libre » - http://www.april.org
_______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
