Hi all, Hitherto, I have used the md5 unit to do simple encryption of passwords before sending them over the network for zybacafe. The database holds the MD5 checksum of the password, the clients on-login generate an MD5SUM and then compares this to the stored one - ergo there is never any plaintext passwords going over the network
That seemed to work fine - except it turns out that MD5 is even LESS reliable than I thought, at least on small data. I had a bug report (and confirmed it) that you can log into anybody's account if you simply know how many characters his password has. Apparently '123456' generates exactly the same MD5SUM as 'beebob' (for any particular set of values) ! So clearly, I need to change this... but to what ? Any suggestions ? Something FPC/Lazarus has native support for would obviously be preffered. Which hashing function would you guys reccomend ? -- "80% Of a hardware engineer's job is application of the uncertainty principle. 80% of a software engineer's job is pretending this isn't so." A.J. Venter Chief Software Architect OpenLab International | +27 83 455 99 78 (South Africa) http://www.getopenlab.com | 086 654 2898 (Fax) http://www.silentcoder.co.za | +55 118 162 2079 (Brazil) GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x27CFFE5A
pgpD04D6iJjSL.pgp
Description: PGP signature
