On 13.07.2010 17:15, Laurent Bachelier wrote: > Actually, HMAC[1] is pretty much that — hashing twice and adding keys.
Well, what I wrote isn't entirely correct, hashing a ton of time adding salts every time is kinda good, because you slow down the attacker if they want to bruteforce.. But still I think that relying on good salts that are unique per user combined with a better/slower algorithm than md5 provides more than enough security. The key being the proper salting. As for HMAC, it's not really the same, it's usually used for signing stuff with a shared private key, but I guess you could use it to store a hashed password considering the salt is the private key.. but it's just semantics I think. Cheers -- Jordi Boggiano @seldaek :: http://seld.be/ -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
