Following on with the MD5 + salt advice, the Jasypt project
(http://www.jasypt.org/) looks to be the way I'd go if I needed to do
this.
See http://www.jasypt.org/howtoencryptuserpasswords.html for a recap
of what's been discussed here.
/Gwyn
On 04/12/2007, John Krasnay [EMAIL PROTECTED] wrote:
John Krasnay wrote:
I see from your later posts that your requirements are not that strict,
but if anyone else on the list needs to do password hashing, here's one
of the best articles I've seen on it:
Sebastiaan van Erk wrote:
Next he goes on to state:
Speed is exactly what you don’t want in a password hash function.
You don’t care if password tests take twice as long, or even ten times
as long, because password hashes aren’t in the 80/20 hot spot.
Now the attacker. This is easy. The
On Tue, Dec 04, 2007 at 09:36:21AM +0100, Sebastiaan van Erk wrote:
John Krasnay wrote:
I see from your later posts that your requirements are not that strict,
but if anyone else on the list needs to do password hashing, here's one
of the best articles I've seen on it:
John Krasnay wrote:
For example:
1. take a “dictionary” —- say, of all combinations of
alphanumerics less than 15 characters
2. hash all of them
3. burn the results onto a DVD.
The keyspace is size is 62^15-1 = 76890970494878552634367. That
means if you can save a hash
This is nothing about wicket - its about base security. MD5 is a
hash-algorithm (see: http://en.wikipedia.org/wiki/Md5) which is no more
secure (flaw found 1996) as there are tables to reverse given md5 (from
2003 on) to a valid input
if you need security youre best with SHA at the moment,
Pills,
I don't really thing this has anything to do w/ Wicket... Do a Google
search for java password hash. A quick search found this:
http://www.devarticles.com/c/a/Java/Password-Encryption-Rationale-and-Java-Example/
J
On Dec 3, 2007 9:40 AM, Pills [EMAIL PROTECTED] wrote:
Hello,
I've
Korbinian Bachl wrote:
This is nothing about wicket - its about base security. MD5 is a
hash-algorithm (see: http://en.wikipedia.org/wiki/Md5) which is no more
secure (flaw found 1996) as there are tables to reverse given md5 (from
2003 on) to a valid input
thank you for your
Pills schrieb:
Korbinian Bachl wrote:
This is nothing about wicket - its about base security. MD5 is a
hash-algorithm (see: http://en.wikipedia.org/wiki/Md5) which is no more
secure (flaw found 1996) as there are tables to reverse given md5 (from
2003 on) to a valid input
thank you for
Korbinian Bachl wrote:
However, they *CAN NOT* generate a collision for an arbitrary hash.
Furthermore, doing this in a limited size string (like a password)
adds another complication.
they can and did ! - if you have a hashvalue e.g:
79054025255fb1a26e4bc422aef54eb4
you can use various
You are correct, I'm assuming his admin has knowledge of the salt, if there
even was one...
On Dec 3, 2007 1:33 PM, Sebastiaan van Erk [EMAIL PROTECTED] wrote:
Jeremy Levy wrote:
Don't use MD5:
http://md5.rednoize.com/
328b78157026ea76f87d3f2d7111dfb1
j
I REALLY don't get your
Jeremy Levy wrote:
You are correct, I'm assuming his admin has knowledge of the salt, if
there
even was one...
Of course the admin will know the salt, but that does not help him
reverse the MD5 hash, nor will the hash be found on the md5.rednoize.com
site. So the only options left are
12 matches
Mail list logo
