Re: Passwords, hashes, and salt

If you were suggesting writing your own hash function to use instead of MD5, don't even consider it if security matters to you. MD5 has been through years of testing and review, and although there have been chinks in the armor, it's still quite usable. SHA-1 is a good alternative though, if you can find mature code for it.

Comment on Re: Passwords, hashes, and salt

Replies are listed 'Best First'.
Re^2: Passwords, hashes, and salt by waswas-fng (Curate) on Jun 24, 2005 at 19:08 UTC
There is more than a few chinks -- MD5 is broke, its getting worse day by day. look here (offsite:rub.de) for an article that explains the current publicly announced state of things. I as this gets more eyes on it, it will get even worse. MD5 digests should be considered almost as insecure as mad XOR magic. =) Update: just wanted to add that SHA-1 has some of the same weaknesses as MD5, but as of yet they have not been able to break it like MD5. If you are really worried you can goto something like Digest::SHA256 for a digest, but it may not be worth it yet. -Waswas	[reply]
Re^2: Passwords, hashes, and salt by Mr_Person (Hermit) on Jun 24, 2005 at 19:08 UTC
No, not at all. I may not know too much about the math behind hashing functions, but I know enough to know that I shouldn't even try to make my own for real world use! :-)	[reply]