On Fri, 05 Dec 2008 15:23:45 +1100 Ron Savage <[EMAIL PROTECTED]> wrote:
> Hi Mark > > On Thu, 2008-12-04 at 23:07 -0500, Mark Rajcok wrote: > > On Thu, Dec 4, 2008 at 10:38 PM, Mark Rajcok <[EMAIL PROTECTED]> wrote: > > > > > For those people who still think MD5 offers some type of security, I > > >> suggest you direct readers to: > > >> http://en.wikipedia.org/wiki/Rainbow_table > > > > > > > > > Thanks, I didn't realize I was just hashing, not really encrypting. I'll > > > switch. What would you recommend instead? Crypt::PasswdMD5? and > > > randomly > > > generate a salt each time I write the encrypted password to the database? > > > > > > > I wrote too soon... switching may be difficult. I'm using > > CAP-Authentication, and it looks like my only options are crypt, MD5, SHA1. > > Is crypt any better? > > Maybe I should just change the tutorial and remove any talk of security? > > SHA1 is more secure, but it's a question of what you are trying to > achieve. > > For example, if you transmit the password in clear, or an MD5 or SHA1 > version of it, if someone were to intercept any of those they could > replay the interception (without caring about the hashing technique). > > If you wish to avoid that, use https. > > Or, if you wish to simply disguise the password, use SHA1. I'll just add that I back up Ron's recommendations here. Mark -- . . . . . . . . . . . . . . . . . . . . . . . . . . . Mark Stosberg Principal Developer [EMAIL PROTECTED] Summersault, LLC 765-939-9301 ext 202 database driven websites . . . . . http://www.summersault.com/ . . . . . . . . ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
