> I was told that MD5 has a weak key and that Secure Hash Algorithm > (SHA-1) is stronger.
Yes, SHA-1 is technically "stronger" than MD5. Still, I totally agree with Jochem van Dieten: "Conclusion: the password itself has less entropy as the hash potentially has. I would improve the password quality before worrying about the hash." It will take roughly the same amount of time to brute force a 6 character password using MD5 hash or the SHA-1 hash. When you get to this level, the length of the password becomes the "weakest link", not the strength of the encryption. -Cameron -------------------- Cameron Childress elliptIQ Inc. p.770.460.1035.232 f.770.460.0963 -- http://www.neighborware.com America's Leading Community Network Software > -----Original Message----- > From: Lewis Steven [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 19, 2002 1:09 PM > To: CF-Talk > Subject: RE: only one MD5 hash? > > > I was told that MD5 has a weak key and that Secure Hash Algorithm > (SHA-1) is > stronger. > > -----Original Message----- > From: Howie Hamlin [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 19, 2002 12:53 PM > To: CF-Talk > Subject: Re: only one MD5 hash? > > > You can't recover the text from an MD5 hash. The idea of the hash is that > the hash is created based on a known key (a password, for > example) and that you can duplicate the results of the hash if > you know the > original text and the key. MD5 is commonly used in SMTP > authentication where the user know his password and the server knows the > password. The server presents a challenge string (the > string changes each time) that the client uses to produce an MD5 string > (using the password as the key). The client then sends the > MD5 result to the server and the server compares it to its own result. > Thus, you verify the password without actually transmitting > it. > > Regards, > > Howie > > ----- Original Message ----- > From: "Cameron Childress" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Tuesday, February 19, 2002 11:36 AM > Subject: RE: only one MD5 hash? > > > > > Brute forcing this 100,000 character string would take a very very very > long > > time. > > <snip? > > > -Cameron > > > ______________________________________________________________________ Why Share? Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
