I can tell you that md5 (even with salt, I was surprised to learn) is no longer appropriate for... much. There isn't enough entropy in it, and as a result, there are multple full databases of MD5 tables online. Use sha1.
Not sure what is meant by a random salt. Presumably, you mean using a long, pseudorandom sequence as your salt? Lots of ways to generate that... I get them (same as my passwords) from grc.com (perfect passwords generator), but there are lots of very solid generators. Matt Murphy On Mon, Aug 30, 2010 at 12:29 PM, teccmo [via Zend Framework Community] < [email protected]<ml-node%[email protected]> > wrote: > Hi, > > I am trying to understand the implications of sha1 vs md5 and salting, > etc... I want to create a login that is fairly secure. I remember reading a > very thorough blog post that was tweeted by @weierophinney but for the life > of me I cant find it. > > I read through what I could find on Google and I could not discern a > definitive direction to take... > except use a long random salt. > > http://www.openwall.com/phpass/ -here they run the password thru md5 > thousands of times. Seems like overkill... > > So any help or direction to articles on this would be much appreciated. > Thank you. > > ------------------------------ > View message @ > http://zend-framework-community.634137.n4.nabble.com/weierophinney-tweeted-a-post-about-a-secure-login-and-I-lost-it-tp2400394p2400394.html > To start a new topic under Zend Framework, email > [email protected]<ml-node%[email protected]> > To unsubscribe from Zend Framework, click > here<http://zend-framework-community.634137.n4.nabble.com/template/TplServlet.jtp?tpl=unsubscribe_by_code&node=634138&code=bWF0dHloZWFkQGdtYWlsLmNvbXw2MzQxMzh8LTkzOTY3MTI5MA==>. > > > -- View this message in context: http://zend-framework-community.634137.n4.nabble.com/Guidance-on-storing-passwords-securely-tp2400394p2400537.html Sent from the Zend Framework mailing list archive at Nabble.com.
