* lantz moore <[EMAIL PROTECTED]> [010403 14:16]: > i was just pointing out that if someone does use someone else's name/email > as their password, temporary confusion will ensue.
If you can figure out how to get an email address + user-supplied random data (even if not very random :) + server-supplied random data (important to be random) out of a single md5/sha1 hash, then hats off to you. :) The only known method for finding out *possible* contents of an sha1 hash is brute force checking all inputs. There are known problems with the md5 hash algorithm and its use in new situations should probably be considered deprecated though its continued use in existing applications is more acceptable -- getting the contents out of md5 is still probably best done through brute force. So, if the server admins want to prevent brute-force finding out possible contents of the hash, then they had best throw some 2^64 bits of randomness in the thing. If the voter wishes to keep the contents of the hash secret, the voter had best throw in some 2^64 bits of randomness. (This is to prevent brute-force searching in case one or the other is chosen weakly.) -- Earthlink: The #1 provider of unsolicited bulk email to the Internet.
