Am 20.06.2012 23:19, schrieb Reindl Harald:
>
>
> Am 20.06.2012 22:52, schrieb Stefan Fritsch:
>> On Wed, 20 Jun 2012, Nick Edwards wrote:
>>> I posted this to users list last week but no-one bit, so I'm trying here.
>>>
>>> With md5crypt no longer recommended for use by its author, will Apache
>>> soon support sha256/sha512 in basic authentication via MySQL.
>>
>> Note that it does not really matter that much which hash algorithm is used.
>> The number of rounds is more important.
>> APR-MD5 ("$apr1$") does 1000 times recursive md5 (which is 1000 times more
>> secure in terms of brute forcing than
>> plain md5).
>
> jesus christ do not tell this any crypto specialist!
> this is completly wrong and the opposite true
>
> you do NOT NEED the right password
> you ONLY need a hash-collision
>
> in the worst case md5(password(md5(password)) is much more
> unsecure as md5(password) alone! why?
>
> because if my password is longer than a hash and you are
> hasing the hash again the original password will no
> longer matter - the collsion is based on the shorter one
one more reason:
md5('jKül#*+-OA') is MUCH more secure
than md5(md5('jKül#*+-OA'))
recursion of hashing results in lose any benefit
of special chars and case-sensitivity because the
second ash is based only on a-z and 0-9
you do not need the original password!
you only need a hash-collision and can leave out
special chars completly to find one
signature.asc
Description: OpenPGP digital signature
