Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Re: CGI and saving passwords

by JoeJaz (Monk)
on May 04, 2004 at 17:47 UTC ( [id://350454]=note: print w/replies, xml ) Need Help??


in reply to Re: CGI and saving passwords
in thread CGI and saving passwords

I had no idea that SHA1 is better than MD5. I'll have to use that instead. It appears I don't get a donut as well :-) My original implementation was to store password cookies, but after learning about sessions and all of the other options that were much more secure than cookies... I don't know what I was thinking. Good to know about the Credit Cards and the SSL. Luckily I don't need that for this project, but I have always been curious about how to design transaction-secure applications. Thanks for your advice. Joe

Replies are listed 'Best First'.
Re: Re: Re: CGI and saving passwords
by Ryszard (Priest) on May 04, 2004 at 18:16 UTC
    At this point in time, AFAIK, the difference between sha1 and md5 and their respective security is prety well academic (I'll stand corrected, i'm not a math/crypto geek).

    Another point to note is sha1 can be a little slower to compute than md5, however on modern hardware, the difference is probably not material.

    All that said, the effort between your code using sha1 and md5 is actually zero, so you may as well use the stronger algorithm right off the bat.

      You're right, it is fairly academic ... md5 does have some known (but minor) collision problems, though.

      At this point (or level of questioning), one also might want to understand 'plaintext equivalence', just to not get in the rut of 'it's not a password but it's as GOOD as a password'. Sending md5 hashes over plaintext http is a plaintext equivalence problem. Session ID's are best. I know of a certain app that doesn't send passwords, but you can sniff the transmissions, copy the packets, and use them in a "replay attack" -- because what is sent, though not the password, is just as good as a password.

      Also see "challenge-response" type behavior (we're getting into overkill if you aren't dealing with shell accounts at this point) and maybe if you are really excited about this, read "Applied Cryptography" by Bruce S. I really don't claim to understand half of it, but it's a good skim during boring work telecoms -- and math is fun.

      Really, most people don't need to worry about all of these vulnerabilities or potential vulnerabilities, but it is important to know when you do need to know, which unfortunately most people don't know when they need to know :)

      Good to know. Though I have heard of SHA1, I had never "encountered" it before. Thanks for weighing some of the pros and cons of each hash. Joe

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://350454]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (4)
As of 2024-03-29 11:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found