On 24.06.2010 00:02, Maciej Rumianowski wrote: > I'm wondering if symfony is going to use new safer hash functions. I'm > using sfGuardPlugin which uses md5 and sha1 (I didn't check it in > Doctrine's). NSA or NIST (I don't know which one) suggested that new > applications (build to be use after 2010) should use SHA-2 or similar.
sha256, 384 or 512 are indeed supported and much better than sha1, and sha1/md5 should be forgotten imo for hashing passwords. A good approach if you hash passwords is also to store them with two different hashes, so for example you store that in the db: password_sha512, password_whirlpool. Then in the case that one of those (or even both) would be cracked, it's very unlikely that an attacker would find a collision attack that works for both algorithms at the same time. This however doesn't protect against rainbow tables.. Only slow algorithms combined with decent salts can help you there. > Moreover I read on > http://laurent.bachelier.name/2010/04/and-i-thought-sfdoctrineguardplugin-was-bad…/ > that instead rand() mt_rand() should be use. In the particular case that the article mention, the hash algorithm is kinda irrelevant. Because you don't hash important data, you don't care if someone can figure it out from the hash. The key thing you want for an activation/session hash is that it is properly randomized, for which you may want to read my article on random hashes [1]. All you want is that the hash can't be guessed, and can't be stolen. If it is stolen, the attacked gains access, no matter if he can use rainbow tables or not to "dehash" it. [1] http://seld.be/notes/unpredictable-hashes-for-humans Cheers -- Jordi Boggiano @seldaek :: http://seld.be/ -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
