On Tuesday, 21 January 2014 at 09:58:34 UTC, Uranuz wrote:
I don't feel myself confident about crypto and security
questions, but I need to make password hashing and generating
of session Id. And make it difficult to pick up password with
bruto force or dictional with single "usual" computer. I'm
slightly disappointed that then more I read different articles
on IT forums then less I understand something. And there are
several opposite ideas that stunning me.
1. All security systems, cipher, etc can be hacked If someone
wants it
2. Do not reinvent the wheel. All have been invented already.
3. If you use standart implementation it's high risk than it
was cracked already.
4. Is it really essential to someone tho crack you security.
About md5 I have read that it's already cracked. It's
vulnerable to length extension attack. As I feel SHA 2 is
better (but it's not my opinion - it's just subjective
feeling). And may be more modern algorithm isn't hacked until
now. Higher variety of standart implemented hash algorithms can
enable to combine them in different manner to get not standart
implementation of hash. As I think it can increse security
against attacks with rainbow tables.
I don't know if I rigth or not. The reason why I asked is that
I'm implenenting authentication on site written in D. So I want
to make password hash generation function enough secure to
forget about it for ~5 years or more. Because there only a
litle of hash functions implemented in std.digest and they are
not so strong by security reasons. It makes it not very useful.
P.S. Sorry for my English.
I don't have any significant expertise on this subject, but I did
find this highly rated article useful and interesting:
http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right
Note that it recommends against md5
