[EMAIL PROTECTED] wrote:
>
> On 22 Sep, John Aldrich wrote:
> > Well, you see, that's the beauty of MD5 hashes...it's not encryption,
> > per se. :-) IIRC, MD5 creates a "fingerprint" of the password and
> > then throws away the password. In the future, if someone wants to
> > access something with an MD5 hashed password, the password is
> > re-fingerprinted and compared to the existing hash. If it is a 100%
> > match, then the person is allowed to go on. If it doesn't match 100%
> > then it's rejected and the process starts all over again! :-)
>
> Right, so... does every system using MD5 have a different algorithm
> for computing the hash? Thus, my system gets different hashes for the
> same password? If not, then you could certainly use a dictionary of
> hashes to get his passwords. If so, then you can still use the brute
> force crack, assuming you can get ahold of the algorithm that is used to
> compute passwords. Right?
You're forgetting the salt which is combined with the password to create
the hash.
> Anyway, it's still bad practice to send passwords, even
> encrypted/hashcode through e-mail.
Agreed.
--
Steve Philp
Network Administrator
Advance Packaging Corporation
[EMAIL PROTECTED]
