Doesn't md5 generate a 128 bit binary number??? That means there are 3.4028236692093846346337460743177e+38 possible combinations which can be generated. So surely the odds of 2 strings producing the same md5 code are 1 in 3.4028236692093846346337460743177e+38???
Having said that, I guess dictionary based attacks could break in fairly easily. That's why I always make my users have numbers and mixed case in their passwords. -----Original Message----- From: John S. Huggins [mailto:[EMAIL PROTECTED]] Sent: 13 August 2002 17:48 To: Robert Parker Cc: [EMAIL PROTECTED]; Adam Voigt Subject: Re: Re[2]: [PHP] Credit Card suggestions On Wed, 14 Aug 2002, Robert Parker wrote: >-On Tuesday 13 August 2002 12:20 pm, you wrote: >-> Makes sense, except if you use upper and lowercase characters, >-> numbers, and symbols (as you should for secure passwords). I would >-> think that with these kind of passwords, storing the sheer number of >-> posibilites would get slightly large. And I mean even if it is easy >-> to break, it's more secure then storing them clear text. >-> >-> Adam Voigt >-> [EMAIL PROTECTED] >- >-Thing that really scares me about MD5 being used anywhere that's >easily -accessible is what happens if 'pussycat' maps on to the same >hash as -'H&3ph!3s09Zw'. The crackers don't need the original password >just something -that generates the same hash. Sure this is possible and I agree a concern. With MD5 there is some mathematically small chance this will happen. With SHA even smaller. However, where do we draw the line? I suppose requiring users to use long passphrases instead of passwords and MD5 that result would help with this issue. >- >-Bob Parker >- >--- >-PHP General Mailing List (http://www.php.net/) >-To unsubscribe, visit: http://www.php.net/unsub.php >- ************************************** John Huggins VANet [EMAIL PROTECTED] http://www.va.net/ ************************************** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
