Personally, I've recently started using (mostly for kicks) things like https://en.wikipedia.org/wiki/Scrypt https://en.wikipedia.org/wiki/Bcrypt https://en.wikipedia.org/wiki/PBKDF2 I suppose the option to tune them in the future (or even introduce a configurable parameter) is also a plus.
2015-07-26 21:38 GMT+03:00 Alex Peshkoff <peshk...@mail.ru>: > On 07/26/2015 01:39 PM, James Starkey wrote: > > Get real. Read about the actual problems. Bthe issue is that there is a > > theoretical problem that a manufactured duplicate collision could be > > manufactored in something like time 2^82, something that nobody has > > actually be able to do. > > > > Sure, SHA-1 has a known weakeness. It's replacement probably has an as > yet > > unknown weakness as well. > > > > If you were starting over from scratch, you wouldn't want to use SHA-1 to > > avoid wasting time with discussions like this. See also RC4. But the > > problem with SHA-1 doesn't justify the inconvenience of changing it. > > I do not see serious inconveniences with it. BTW, what hash can you > suggest instead? > > > Now, all that said, if the only use of SHA-1 is to flatten the "master > key" > > in SRP into a session key, then there is no dependency on SHA-1 as a > > cryptographic hash, only as randomizing hash, and the weakness is > > irrelevant. But if it's used to store passwords, that's a security > problem > > so huge that any SHA-1 weakness doesn't even come into it. > > > > Context is everything. > > > > Yes, SHA-1 is used to store password hashes. For SRP an exponent of > SHA1(login, salt, password) modulus the prime is stored. > > > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel >
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
