On 8 Mar 2010, at 22:42, Peter Maddin <[email protected]> wrote:
Thanks for the update
If there are any problems I can point those who like working with
VBA or VBScript to such an implementation. Do you have any links to
such VBA /VBScript code?
Maybe start here?
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
Of course this requires that all passwords are different and are of
reasonable complexity. For half the table to be filled with easily
guessed passwords like 'password' will defeat any security measure.
It also means that a user who forgets their password must be allowed
to create a new one (or have one generated for them) as the old one
cannot (in theory) be derived from the hash.
Passwords should be one way. Unless it is data that needs to be
presented back to the user. I recently reviewed a system that used a
text representation of a user's SID as the 256 bit key to protect data
that did need to be decrypted. Sounds good in theory, except that the
first 32 chars (256 bits) of said string are identical for a given
domain. DOH!
One can easily Google for common raw MD5 hashes.
If you simply add the length of the typed password to the string to be
hashed, you at least remove the rainbow attack - which is as good as
'unhashing'. I'd look to using the username or primary key of the
user to further differentiate - this will ensure no two hashes of the
same password match.
HTH.
Regards Peter
On 9/03/2010 5:44 AM, Richard Carde wrote:
If all you need is something to generate an MD5 hash and nothing
more, you could use an MD5 implementation directly - afterall, MD5
is MD5. There are a number of VBScript/VBA implementations to
select from.
--
Richard Carde
