Hello,
Hi Anthony,
MD5 and SHA1 password hashes are considered weak. You are correct that
someone got a hold of your hashes they could use a dictionary of
common passwords to devise some of your user's passwords.
It makes me laugh a little when people say MD5 or SHA1 is weak or
broken. If its broken/weak
then you shouldn't have much trouble getting the original text from
this: 5528684eb56e246101ffcd1c783a8f7d
or this: 58e231c3666adef0a18d97e3485caf33
or this: d0708105f5a85704728118925646b1ca
There are a few ways to deal with this. The simplest is to just force
users to create complicated passwords. Make them use passwords that
are at least 8 characters and contain at least one digit and one
non-alphanumeric character. This makes a dictionary attack much less
practical (but by no means impossible if you have a lot of resources).
The other way is to use a hashing algorithm with a larger bitwidth.
Another is to add a salt. Better still, use all of these techniques.
Right - so MD5 is not weak. Its the user's password choice that is weak.
And a policy that enforces
users meet a minimum requirement is a start to a much tougher system to
crack; be it md5 hashes of passwords
or private/public key implementations - they are all flawed if the
password itself is easily guessed.
- Ben
_______________________________________________
New York PHP Users Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/Show-Participation
