Hi All,
In simple authenticator its possible to configure passwords to be stored
as MD5 sums - for a security sucker there is two problems here.
MD5 is broken[1].
There is no salt added to clear value, means if two users choose to have
same password, the encoded values would be the same.
I suggest that someone add support for a alternative hashing algorithm.
And that the hash is calculated with some prefix. (username maybe)
I know the present is better then having the passwords in cleartext.
But, when a user choose to enable the password hashing, it's for a
reason. And there is no reason to choose to jump into the common
security pitfalls :)
btw. is it against the protocol to raise this kind of questions to this
mailing list? Or should it be somewhere else?
./Morten
[1] http://en.wikipedia.org/wiki/MD5 (Back in 1995 it was recommended
not to base further security on md5)
- Further enhancments in j.a.c.auth Morten Wegelbye Nissen
-
