Le Fri, 25 Aug 2017 11:32:36 +0200, Benoît Minisini <gam...@users.sourceforge.net> a écrit:

Le 25/08/2017 à 11:22, Adrien Prokopowicz a écrit :
 I would like to put my two cents on this subject (although,
disclaimer : I am not a professional in security).
First of all, the documentation of gb.crypt is completely wrong. As Tobias says, its methods have *nothing* to do with encryption : ...

Not my fault:

$ man crypt

CRYPT(3)

NAME
        crypt, crypt_r - password and data encryption
...

Oh wow, I actually never noticed this. Probably it is because it's a very old
function, and no one wanted to update the man page ?

But you are right. The documentation should be updated with emphasis on hashing
instead of encryption, and an explanation of the risks.

Yep, I will probably do that when I'm finished with writing the Git guide.

And SHA-1 and SHA-2 are provided too for better security.

I know they are there, but while they are a little better than MD5, they still
are very bad for handling passwords, they are way too quick.

Some functions that are commonly used for password hashing are PBKDF2 or bcrypt (and maybe scrypt too, although I heard it is a bit young). PBKDF2 and scrypt
can be provided by OpenSSL, but I think bcrypt is implemented in a separate
library.

--
Adrien Prokopowicz

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user

Reply via email to