A.J. Venter wrote:
That seemed to work fine - except it turns out that MD5 is even LESS reliable
than I thought, at least on small data.
I had a bug report (and confirmed it) that you can log into anybody's account
if you simply know how many characters his password has.
Apparently '123456' generates exactly the same MD5SUM as 'beebob' (for any
particular set of values) !
This is not the case for the MD5 algorithm as defined in RFC 1321.
$ echo 123456|md5sum
f447b20a7fcbf53a5d5be013ea0b15af *-
$ echo beebob|md5sum
bd9dc720ce0f1976d760a803c1d12370 *-
Maybe you somehow only hash the string length? E.g. you do a md5(password[1])?
Regards,
Bram
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
