> If you want to be sure you can use MD5 and SHA1 (both considered > weak now) if no other hash-algorithms like SHA256 are available.
FYI, post #5 on this thread: http://groups.google.com/group/Google-Web-Toolkit/browse_thread/thread/59f3aafcf4951523/83edc30eabccc671 says: > After some more research I did not find a bcrypt implementation in > JavaScript but there are implementations for MD4, MD5, SHA1 at > http://pajhome.org.uk/crypt/md5/ and an implementation for SHA-256 at > http://anmar.eu.org/projects/jssha2/ In fact, the whole thread is probably of interest to anyone who is interested in this one. Regards Ravi On Sep 18, 12:54 pm, Lothar Kimmeringer <[EMAIL PROTECTED]> wrote: > Hi Alex, > > alex.d schrieb: > > > What about "easy"-hashing on the client side like for example md5? > > Sure, lately there were several reports about possibilities to crack > > it quicker than expected(a few hours or even minutes) but i haven't > > seen any working tool to make it work yet. > > You can't "decrypt" a hash, but you can find a text that > lead to the same hash-value as the original password does. > So all you need is a dictionary of all possible hash-values > and a text that lead to this hash-value. Nowerdays storage- > medias can hold this number of entries, so there is no > special tool necessary; a simple database does the trick. > > > So hasing with md5 on the > > client side, and than with BCrypt on the server, should eliminate > > probably 90% of the attack attempts. > > If you want to be sure you can use MD5 and SHA1 (both considered > weak now) if no other hash-algorithms like SHA256 are available. > It's quite unlikely to find a text easily that lead to the same > hash-values for MD5 and SHA1 like the original password did. > This can be considered as a temporary solution until other > hashing algorithms like SHA256 have been found its way into > the cryptography libraries out there. > > > And if somebody is ready to go > > the hard way, well, then there is probably not that much you can do > > about it - if somebody want's to hack you - they will succeed. > > NPI: Strange point of view. I hope you're not working for a website > where I place orders using my credit-cards. > > Regards, Lothar --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
