I did a little digging and it would seem that the best available alternative to SHA-1 is SHA-[more than 1]. :)
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html Re-quoting a quote in Shneier's blog article: Luckily, there are alternatives. The National Institute of Standards and Technology already has standards for longer -- and harder to break -- hash functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already government standards, and can already be used. This is a good stopgap, but I'd like to see more. All that said, float the base64 balloon! Maybe you could sell the auditor's response to Scott Adams. ;) Sam On Tue, Apr 22, 2008 at 9:12 AM, Paul Cowan <[EMAIL PROTECTED]> wrote: > Hi,We have a web application that where the username and password are stored > in the database.The password is stored as SHA1. We have just been through a > security audit which deemed SHA1 to be not the saftest encryption > algorithm.Is there any way we can update the passwords from SHA1 to base64?We > also need to have the transport running over https, how can we develop > against Https without purchasing a certificate? > Is there a [EMAIL PROTECTED] > _________________________________________________________________ > 100's of prizes to be won at BigSnapSearch.com > http://www.bigsnapsearch.com > =================================== > This list is hosted by DevelopMentor(R) http://www.develop.com > > View archives and manage your subscription(s) at http://discuss.develop.com > -- "For it is a doctrine not of the tongue but of life. It is not apprehended by the understanding and memory alone, as other disciplines are, but it is received only when it possesses the whole soul, and finds a seat and resting place in the inmost affection of the heart." John Calvin, The Institutes, Book III, Chapter VI, Section 4. =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
