On 24 August 2010 16:25, Jan G.B. <ro0ot.w...@googlemail.com> wrote:
> 2010/8/24 Bob McConnell <r...@cbord.com>:
>> From: Peter Lind
>>> On 24 August 2010 15:43, Gary <php-gene...@garydjones.name> wrote:
>>>> Jan G.B. wrote:
>>>>> The weakness of MD5 is mainly because MD5 collisions are possible.
>>>>> That means, that different strings can have the same MD5-hash...
>>>> http://en.wikipedia.org/wiki/MD5#cite_note-1
>>> It's worth noting that that essentially does not touch upon whether or
>>> not MD5 can be considered safe or not as a means to store password
>>> information. The researchers have discovered ways of crafting inputs
>>> to easily find colliding hashes - they have not discovered any easy
>>> means to craft an input that will collide with a given hash.
>> That's a simple matter of brute force, which can be done once and saved
>> for instant use later. However, putting a salt into your algorithm
>> pretty much eliminates the chances of success using that attack.
>> Bob McConnell
> Thanks..
> actually it's quite annoying when you post an answer which
> tries to explain a subject and people just post a link as
> response to one citation which somehow lacks relevance on the topic.

The link posted was all the relevance there is. MD5 is not weak in the
sense that it is easy to find collisions when all you have is a hash
(which is what you were implying). MD5 is only weak in the sense that
it's possibly to generate two input texts such that the MD5 hashes of
both will collide.
 The "other" weakness of MD5 (the more relevant one here) is that
calculating an MD5 hash is relatively fast today. Which means you can
generate rainbow tables of the most common inputs in relatively little
time. Of course, these rainbow tables are worthless against more
secure passwords and/or against salted passwords.


WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to