No. MD5 is broken. If someone insists on using MD5, trust them *less* because they may be trying to create an illusion of security where in fact none exists. Hash functions are not, by themselves, suitable for creating encryption keys (including hashed passwords for that matter) where the security of their input is less than half their output size. Use a key derivation function. PBKDF2 can add about 10-14 bits of effective security over HMAC-SHA-1, and it's built into Node.js.
I'm not going to bother explaining here, there's too much that you can get wrong, not just the key derivation function. Get a security professional. Even if you think your application doesn't need high-level security, many people use the same passwords at many different websites, and often those passwords *do* protect critical information. Get a security professional. I don't trust bcrypt. There's no reason to modify perfectly good ciphers unless you're being malicious. Use PBKDF2 or, if you want something memory-hard, scrypt. Austin. On Thursday, November 22, 2012 5:54:47 AM UTC-7, cherry wrote: > > > i've registration form and i'm sending that data to mongodb through > mongoskin driver and i want to encrypt those passwords at server side using > md5. can u plz help me. > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
