Re: MD5 password encryption on a no frills script

You are really better off using SHA-1 if you can. While MD5 hasn't been completely broken, it has had enough problems over the years that it's better to shy away from it. SHA-1 doesn't suffer from the same problems, and its hash length is longer.

Oh, and be sure to use salt values :)

Comment on Re: MD5 password encryption on a no frills script

Replies are listed 'Best First'.
Re: Re: MD5 password encryption on a no frills script by archen (Pilgrim) on Oct 25, 2002 at 15:31 UTC
Thanks for the advice. Apparently I need to do a bit more research (I'm FAR from a cryptography expert) since I haven't really heard of SHA-1 before. I'm not exactly sure how MD5 would have problems, but the 160bit hash length of SHA1 vs 128 of MD5 makes sense to me. I'm mainly doing a password authentication type system for a few CGI scripts so speed isn't much of an issue anyway. Unfortunately it looks like there isn't any convinient password module for SHA-1 on CPAN. Luckily I have time to dig into all this a lot farther.	[reply]
Re: Re: Re: MD5 password encryption on a no frills script by fokat (Deacon) on Oct 25, 2002 at 15:48 UTC
Pay close attention to wether you will (or think you will) need compatibility with something else. If by any chance, you suspect you would need to generate either `.htpasswd` files/entries or `/etc/passwd` files/entries, go the Crypt::PasswdMD5 way.	[reply]
Re: Re: MD5 password encryption on a no frills script by Coplan (Pilgrim) on Nov 11, 2002 at 22:09 UTC
Unfortunately, i'm parsing into an existing database which is using the MD5 system. But, should I need to design such a system in the future, I will certainly consider the SHA-1 system. Thanks for your feedback. --Coplan	[reply]