Problems? Is your data what you think it is? | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
I'm using Digest::MD5 to generate unique cookie values as well as for password authentication. Should I or should I not continue to use Digest::MD5 for those operations? The vulnerability is that if a 3rd party intercepts the MD5 hash, they can spend a few days of compute time to discover a plain-text input that will produce the same hash. You can mitigate or effectively eliminate the threat by limiting the length plaintext passwords (say, 12 to 16 characters). Then, even if an attacker finds a longer text string that results in the same MD5 hash, they're cut off by the limit. However, unless you're mixing user-supplied plaintext with some secret string before generating a hash, you're open to dictionary attacks. MD5 is way down on the list of things I'm worrying about right now, but there's always the chance that I'm being naive. In reply to Re: MD5 - what's the alternative
by dws
|
|