> Hi Alex, > > alex.d schrieb: > > > What about "easy"-hashing on the client side like for example md5? > > Sure, lately there were several reports about possibilities to crack > > it quicker than expected(a few hours or even minutes) but i haven't > > seen any working tool to make it work yet. > > You can't "decrypt" a hash, but you can find a text that > lead to the same hash-value as the original password does. > So all you need is a dictionary of all possible hash-values > and a text that lead to this hash-value. Nowerdays storage- > medias can hold this number of entries, so there is no > special tool necessary; a simple database does the trick.
Actually with that weakness that scientists found in md5-algorithm it was possible to find a password(not decrypt) much quicker than by just brute-forcing. > > So hasing with md5 on the > > client side, and than with BCrypt on the server, should eliminate > > probably 90% of the attack attempts. > > If you want to be sure you can use MD5 and SHA1 (both considered > weak now) if no other hash-algorithms like SHA256 are available. > It's quite unlikely to find a text easily that lead to the same > hash-values for MD5 and SHA1 like the original password did. > This can be considered as a temporary solution until other > hashing algorithms like SHA256 have been found its way into > the cryptography libraries out there. Exactly my point. > > And if somebody is ready to go > > the hard way, well, then there is probably not that much you can do > > about it - if somebody want's to hack you - they will succeed. > > NPI: Strange point of view. I hope you're not working for a website > where I place orders using my credit-cards. Every piece of code written by man has errors. With enough time and resources it is possible to find this errors and exploit them. Most of the people will not have money or time to hack for example amazone. It doesn't mean it's impossible. Any governmental structure like Homeland security on the other side has potential to hack itself into almost everything. > Regards, Lothar --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
