Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: MD5 password encryption on a no frills script

by archen (Pilgrim)
on Oct 25, 2002 at 14:04 UTC ( [id://207994]=note: print w/replies, xml ) Need Help??


in reply to MD5 password encryption on a no frills script

Actually I'm doing pretty much the same thing. Right now I'm using the standard crypt funcition (which I think uses DES). Anyone have any references to the strength of MD5 vs. whatever crypt uses?

Replies are listed 'Best First'.
Re: Re: MD5 password encryption on a no frills script
by fokat (Deacon) on Oct 25, 2002 at 15:39 UTC
    The crypt() family of functions suffers from a poor name selection. They actually hash the original password and produce a result that is unique for a given password but that, if something similar to an inverse could exist, would return either a very large or an infinite set of potential passwords. These functions fall within what is called a cryptographically-strong hash (or digest)

    Neither the DES-based crypt() nor the MD5-based crypt() use a straight application of the respective digest algorythm. Rather, they involve complex transforms that deliberatelly "lose bits" from the supplied plaintext (ie, the password). This adds additional roadblocks to recovering the original password.

    The relative superiority of the MD5-based crypt(), stems from the fact that the MD5-based transformation can be applied to passwords of any length. The two common "flavors" of the DES-based crypt() I'm aware of, have limits in the length of the password.

    While it is true that certain "vulnerabilities" have been shown into the MD5 algorythm, it is still far away from being cracked. Note that DES has been considered obsolete since long, yet the passwords protected by DES-based crypt() still need to be cracked using brute force. I would expect the same from the MD5-based one.

    Here is where using a salt string works best, as this forces the eventual attacker to scan a much larger key space. The salt, tipically a set of random bytes concatenated to the original password and stored in-the-clear along with the hashed password, increase significantly the key space. Thanks to it, the attacker cannot count on building a large set of hashes whose passwords are known; He would have to calculate all of them just for you.

    The MD5-based crypt() allows salts of any length.

    Hope this helps.

Re: Re: MD5 password encryption on a no frills script
by sch (Pilgrim) on Oct 25, 2002 at 14:10 UTC

    According to the FreeBSD Handbook, MD5 should be more secure than DES.

    Hey, if there's code up ^^ there ^^, don't blame me if it doesn't work.

    But today you took me walking, Through a land that we have lost,
    While our children sit at websites, With no access to the cost

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://207994]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2024-03-29 13:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found