Hi Alex, alex.d schrieb: > What about "easy"-hashing on the client side like for example md5? > Sure, lately there were several reports about possibilities to crack > it quicker than expected(a few hours or even minutes) but i haven't > seen any working tool to make it work yet.
You can't "decrypt" a hash, but you can find a text that lead to the same hash-value as the original password does. So all you need is a dictionary of all possible hash-values and a text that lead to this hash-value. Nowerdays storage- medias can hold this number of entries, so there is no special tool necessary; a simple database does the trick. > So hasing with md5 on the > client side, and than with BCrypt on the server, should eliminate > probably 90% of the attack attempts. If you want to be sure you can use MD5 and SHA1 (both considered weak now) if no other hash-algorithms like SHA256 are available. It's quite unlikely to find a text easily that lead to the same hash-values for MD5 and SHA1 like the original password did. This can be considered as a temporary solution until other hashing algorithms like SHA256 have been found its way into the cryptography libraries out there. > And if somebody is ready to go > the hard way, well, then there is probably not that much you can do > about it - if somebody want's to hack you - they will succeed. NPI: Strange point of view. I hope you're not working for a website where I place orders using my credit-cards. Regards, Lothar --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
