Korbinian Bachl wrote:
This is nothing about wicket - its about base security. MD5 is a hash-algorithm (see: http://en.wikipedia.org/wiki/Md5) which is no more secure (flaw found 1996) as there are tables to reverse given md5 (from 2003 on) to a valid input
As far as I can remember, they can generate two different documents with the same MD5 hash.
However, they *CAN NOT* generate a collision for an arbitrary hash. Furthermore, doing this in a limited size string (like a password) adds another complication.
Furthermore, there is generally no way to know what MD5 hash a user has, so even if there was an attack which could generate a string with the chosen MD5 hash, you still could not hack a user's account because you wouldn't know which MD5 hash you want your string to have.
Nope, MD5 password hashes are still perfectly fine.
I've a little question with wicket: I would like to hash my users' passwords(with md5) to make them unreadable for a human. And I also would like tohash them before sending them through the network (to avoid the biggest partof security issues). Is there a way to achieve this? Thank you ;)
Hashing the password client side is actually UNSAFE. This means the hash goes over the network, and somebody else can just send the same hash to the server to log in without ever knowing the user's password.
What you need is either:1) SSL (https) to encrypt the traffic to the server (in which case there is no need to hash passwords client side), or
2) Use a challenge response algorithm (like CRAM-MD5).Since 1) is already built into the browser and 2) is a pain and requires somebody to implement it in JavaScript, I strongly suggest you use 1).
Futhermore, trying to think of your own security algorithms, or implement known security algorithms yourself (e.g., in JavaScript) instead of using a library is very dangerous unless you are a security expert.
Regards, Sebastiaan
smime.p7s
Description: S/MIME Cryptographic Signature
