On Tue, Nov 01, 2005 at 17:00:50 -0500, "Mark R. Dingee" <[EMAIL PROTECTED]> wrote: > Bruno, > > I use an authenticate() function as a part of state maintenance in a PHP web > app. In the function, I generate an encrypted token that is then used in the > validation process on subsequent pages. md5 works, but I've been able to > brute-force crack it very quickly, so I'm looking for an alternative. Any > thoughts would be greatly appreciated.
This isn't a problem with MD5. While MD5 does have some theoretical weaknesses, they aren't really an issue in this case. Why are you using a hash at all? If you are using the hash as a key, why not just use a random string instead? The web browser could be handed a session id and random string and on the server you would have a table indexed by session ids that includes the random string. On many systems you can use /dev/urandom as a source of random data. Since you don't seem to be concerned about sniffing, /dev/random is probably overkill and having it block when low on entropy would probably be a problem for you. ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
