> On Friday 09 Mar 2007, James Holmes wrote: > > There are a number of people who use rainbow tables on a > regular basis > > that would beg to differ on this point. > > Using brute force to find a hash collision is not the same as > finding out my password.
Password discovery is password discovery, regardless of the method be it social engineering, brute force, packet sniffing, key logging, whatever... If you discover the password, then in many cases, you have the keys to the kingdom and although MD5 is stronger than plain text storage and would deter the casual hack, it is now known to be flawed and computing power these days means this flaw is more exploitable than ever. Having said that, plain text is still a much easier target and I would guess that it is still the most prevalent way to store passwords... As with everything, security is all about levels of safety and finding a good balance between complexity and risk, it is a multi-faceted problem and you shouldn't depend on one technology to secure an entire system. Security in-depth is the phrase du jour I believe! If you aren't happy with MD5 because of its flaws then at least CF now has native support for stronger algorithms and even then, there are third party plugins that extend this further. Then again if you want some security and you aren't too fussed if your password is discovered then MD5 is still a good option for obfuscation. One other thing that occurs to me but isn't directly related to the original question... If someone were to gain access your DB and all you were encrypting was your users passwords then what is the point? I have seen this all too many times... Passwords encrypted or hashed, sensitive data, plain text... Oh dear! Paul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272148 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
