On Fri, Nov 28, 2008 at 12:30:12AM +0000, Lyle wrote:
> I need to add a little security to one of my tracking scripts. The
> common way to do this is to encrypt a known tracking id combined with a
> secret password, such as md5( id . password ).
>
> I'm wondering if MD5 is the best way to go? I know max was talking about
> encryption at the last meet...
Presumably the aim of this is so that some random person can't figure
out what the next valid ID is? Or so that you can tell if they've
changed the ID because the hash won't match?
In that case, MD5 is fine. None of its current known weaknesses apply,
and for such tiny amounts of data attacks would be Hard, provided you
choose a strong password so they can't use a rainbow table. About 128
bits of password (incidentally, in the literature what you've valled a
password is normally called a salt - you are liable to confuse yourself
and your customers if you don't call it that, as the literature
generally uses hashes of *passwords* + salt as its examples; but I'll
continue to call it a password in this email) is considered to be strong
enough to protect root's password on modern Unixes.
If your password consists of a-z, A-Z, 0-9 and
\|,./<>?;'#:@~[]{}-_=+)(*&^%$"! (93 different characters) then you have
log(93)/log(2) == 6.5 bits per character, so should use a string of 19
or 20 random characters. If you use a passphrase, then remember that
English only gives you about 1 bit per character.
> Requirements are that other languages need to be able to easily do this
> encryption as well. Such as ASP VBscript, JScript, C#, ColdFusion, PHP,
> Python, Ruby...
MD5 is a very common algorithm, and I'd be shocked if it wasn't
available for all of those.
--
David Cantrell | Nth greatest programmer in the world
Perl: the only language that makes Welsh look acceptable
_______________________________________________
BristolBathPM mailing list
[email protected]
http://mailman.bristolbath.org/mailman/listinfo/bristolbathpm
