Yeah, just go ahead and cut corners. I mean it's just like nobody would ever need more than two digits to represent a year . . .

If it was existing code, sure it's not worth ripping out everything to change. However given that it's new code, go ahead and start correctly. Use Digest and you won't even need more than a configuration change in 17 months when SPECTRE breaks SHA-256 with the quantum computer they stole from the NSA and you have to go to SHA-1024.

If it's new code, I certainly agree, go with what's current and flexible. On the other hand, if the OP's (TheEnigma's) statement

I've got it working, using MD5

means that it's working in production, and switching would mean changeover, debugging and testing, then you have to weigh that cost against the risk of continuing with MD5, which apears minimal if, as the OP says, there are no secrets and no money involved.

Are there people who work with cryptographic tools and have access to a fair amount of computer horsepower who are also likely to be motivated to attack the web site of your homeowners association?

Well, there's that evil homeowners association just down the road... They're so competitive... ;)

Seriously, I know exactly what you're saying; in my case any kind of encryption at all is probably more than enough. After all, there's no money or secrets involved.

I was fat, dumb and happy using MD5 crypt until during testing, I noticed that only the first 8 characters of passwords seemed to matter. I found info on the web that MD5, (or at least the implementation I'm using, Digest::MD5), crypt only uses the first 8 characters. <update> I considered using MD5 instead of crypt. </update> Further searching revealed that MD5 and SHA1 have been broken, and if you're coding something new, you might as well go with SHA256. Since I havent't released my script yet, and since I want the whole password to count, I figured I should go with SHA256. And you're right, another reason is for me to learn.

My main concern here is if these modules implement SHA256 properly.

Thanks syphilis for pointing out my mistake

I noticed that only the first 8 characters of passwords seemed to matter

Have you got some code that demonstrates that ? Here is some code that negates that statement:

use warnings;
use strict;
use Digest::MD5 qw(md5_hex);

my $pass1 = '12345678zy';
my $pass2 = '12345678ab';
my $pass3 = '12345678mn';

print md5_hex($pass1), "\n", md5_hex($pass2), "\n", md5_hex($pass3), "
+\n";
[download]

For me, it produces:

653080cea849964e8bd43ef33355c01b
b86ffaf7de29e8aa87785572741025f3
25c8c10a5673749bb097eea0e407addb

I defy anybody to come up with an MD5 collision for any strings of equal length.

Cheers,
Rob

use warnings;
use strict;

use Digest::MD5 qw( md5 );

my $text1 = "\xA6\x64\xEA\xB8\x89\x04\xC2\xAC"
          . "\x48\x43\x41\x0E\x0A\x63\x42\x54"
          . "\x16\x60\x6C\x81\x44\x2D\xD6\x8D"
          . "\x40\x04\x58\x3E\xB8\xFB\x7F\x89"
          . "\x55\xAD\x34\x06\x09\xF4\xB3\x02"
          . "\x83\xE4\x88\x83\x25\x71\x41\x5A"
          . "\x08\x51\x25\xE8\xF7\xCD\xC9\x9F"
          . "\xD9\x1D\xBD\xF2\x80\x37\x3C\x5B"
          . "\x97\x9E\xBD\xB4\x0E\x2A\x6E\x17"
          . "\xA6\x23\x57\x24\xD1\xDF\x41\xB4"
          . "\x46\x73\xF9\x96\xF1\x62\x4A\xDD"
          . "\x10\x29\x31\x67\xD0\x09\xB1\x8F"
          . "\x75\xA7\x7F\x79\x30\xD9\x5C\xEB"
          . "\x02\xE8\xAD\xBA\x7A\xC8\x55\x5C"
          . "\xED\x74\xCA\xDD\x5F\xC9\x93\x6D"
          . "\xB1\x9B\x4A\xD8\x35\xCC\x67\xE3";

my $text2 = "\xA6\x64\xEA\xB8\x89\x04\xC2\xAC"
          . "\x48\x43\x41\x0E\x0A\x63\x42\x54"
          . "\x16\x60\x6C\x01\x44\x2D\xD6\x8D"
          . "\x40\x04\x58\x3E\xB8\xFB\x7F\x89"
          . "\x55\xAD\x34\x06\x09\xF4\xB3\x02"
          . "\x83\xE4\x88\x83\x25\xF1\x41\x5A"
          . "\x08\x51\x25\xE8\xF7\xCD\xC9\x9F"
          . "\xD9\x1D\xBD\x72\x80\x37\x3C\x5B"
          . "\x97\x9E\xBD\xB4\x0E\x2A\x6E\x17"
          . "\xA6\x23\x57\x24\xD1\xDF\x41\xB4"
          . "\x46\x73\xF9\x16\xF1\x62\x4A\xDD"
          . "\x10\x29\x31\x67\xD0\x09\xB1\x8F"
          . "\x75\xA7\x7F\x79\x30\xD9\x5C\xEB"
          . "\x02\xE8\xAD\xBA\x7A\x48\x55\x5C"
          . "\xED\x74\xCA\xDD\x5F\xC9\x93\x6D"
          . "\xB1\x9B\x4A\x58\x35\xCC\x67\xE3";

printf("len text1 %s len text2\n", length($text1) == length($text2) ? 
+'==' : '!=');
printf("text1     %s text2\n",     $text1         eq $text2         ? 
+'eq' : 'ne');
printf("md5 text1 %s md5 text2\n", md5($text1)    eq md5($text2)    ? 
+'eq' : 'ne');
[download]

outputs

len text1 == len text2
text1     ne text2
md5 text1 eq md5 text2
[download]

Finding the collision took 8 hours using a notebook PC (Intel Pentium 1.6 GHz). That's minutes on a strong computer. Reference

So sorry! Yes, you are correct. Please see my update in my OP above.

TheEnigma