Am 20.06.2012 22:52, schrieb Stefan Fritsch:
> On Wed, 20 Jun 2012, Nick Edwards wrote:
>> I posted this to users list last week but no-one bit, so I'm trying here.
>>
>> With md5crypt no longer recommended for use by its author, will Apache
>> soon support sha256/sha512 in basic authentication via MySQL.
>
> Note that it does not really matter that much which hash algorithm is used.
> The number of rounds is more important.
> APR-MD5 ("$apr1$") does 1000 times recursive md5 (which is 1000 times more
> secure in terms of brute forcing than
> plain md5). jesus christ do not tell this any crypto specialist! this is completly wrong and the opposite true you do NOT NEED the right password you ONLY need a hash-collision in the worst case md5(password(md5(password)) is much more unsecure as md5(password) alone! why? because if my password is longer than a hash and you are hasing the hash again the original password will no longer matter - the collsion is based on the shorter one
signature.asc
Description: OpenPGP digital signature
