Re^2: how to crypt and decrypt password from 4 to 15 characters in length

Using a hash function for passwords is a good suggestion, ++. However, there are known attacks for MD5 and SHA-1. While these attacks are not yet considered serious enough to recommend switching applications away from these hashing methods, better algorithms exist and should be used for new apps (this is particularly true for MD5). Both Digest::SHA and Digest::SHA::Perl can use SHA-256, which is stronger, so you should use it instead.

There are ten types of people: those that understand binary and those that don't.

Comment on Re^2: how to crypt and decrypt password from 4 to 15 characters in length Download Code

Replies are listed 'Best First'.
Re^3: how to crypt and decrypt password from 4 to 15 characters in length by Anonymous Monk on Jan 21, 2006 at 18:37 UTC
Note that recent advances against hashing affect _collision resistance_, i.e., make it feasible to generate identical hashes from different inputs. These kinds of weaknesses don't directly influence the security of password one-wayness. (They don't let one create a password with the same hash as any particular other one.)	[reply]
Re^4: how to crypt and decrypt password from 4 to 15 characters in length by tirwhan (Abbot) on Jan 21, 2006 at 19:16 UTC
True, which is why I said there is no need to migrate existing applications at this point. However, the existence of collision attacks makes it more likely that preimage attacks (which would allow to generate an input that will produce a given existing hash) will be found. More secure algorithms exist and are not prohibitively computationally expensive, no reason not to use them. There are ten types of people: those that understand binary and those that don't.	[reply] [d/l]


laziness, impatience, and hubris
	PerlMonks