Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Re: Re: Re: CGI and saving passwords

by Ryszard (Priest)
on May 04, 2004 at 18:16 UTC ( #350469=note: print w/replies, xml ) Need Help??

in reply to Re: Re: CGI and saving passwords
in thread CGI and saving passwords

At this point in time, AFAIK, the difference between sha1 and md5 and their respective security is prety well academic (I'll stand corrected, i'm not a math/crypto geek).

Another point to note is sha1 can be a little slower to compute than md5, however on modern hardware, the difference is probably not material.

All that said, the effort between your code using sha1 and md5 is actually zero, so you may as well use the stronger algorithm right off the bat.

Replies are listed 'Best First'.
Re: Re: Re: Re: CGI and saving passwords
by flyingmoose (Priest) on May 04, 2004 at 22:50 UTC
    You're right, it is fairly academic ... md5 does have some known (but minor) collision problems, though.

    At this point (or level of questioning), one also might want to understand 'plaintext equivalence', just to not get in the rut of 'it's not a password but it's as GOOD as a password'. Sending md5 hashes over plaintext http is a plaintext equivalence problem. Session ID's are best. I know of a certain app that doesn't send passwords, but you can sniff the transmissions, copy the packets, and use them in a "replay attack" -- because what is sent, though not the password, is just as good as a password.

    Also see "challenge-response" type behavior (we're getting into overkill if you aren't dealing with shell accounts at this point) and maybe if you are really excited about this, read "Applied Cryptography" by Bruce S. I really don't claim to understand half of it, but it's a good skim during boring work telecoms -- and math is fun.

    Really, most people don't need to worry about all of these vulnerabilities or potential vulnerabilities, but it is important to know when you do need to know, which unfortunately most people don't know when they need to know :)

Re: Re: Re: Re: CGI and saving passwords
by JoeJaz (Monk) on May 05, 2004 at 05:17 UTC
    Good to know. Though I have heard of SHA1, I had never "encountered" it before. Thanks for weighing some of the pros and cons of each hash. Joe

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://350469]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2023-01-30 18:54 GMT
Find Nodes?
    Voting Booth?

    No recent polls found