Re (tilly) 2: CGI Password

crypt is showing its age. Brute force cracking is now feasible. The basic idea is good, but I would recommend using Digest::MD5 instead. Add a "secret key" of your choice as a salt before computing the digest.

UPDATE
In response to arhuman, that is why I said to add a secret key as a salt. That can be of any length, and its purpose is to increase the searchspace so that brute force fails.

Comment on Re (tilly) 2: CGI Password

Replies are listed 'Best First'.
Re: Re (tilly) 2: CGI Password by arhuman (Vicar) on Mar 28, 2001 at 17:46 UTC
Hehe, MD5 is aging too, it can now be cracked in hours (up to 6 char) or in few days for a longer password (8 char). Proof here. Try Digest::SHA1... UPDATE : In response to tilly IMHO SHA1 is a better choice beccause SHA1 seems more secure than MD5 (resists better to collision attack) and is SLOWER which is this case is an advantage as it renders brute force attack less effective (the time penalty is unoticeable for checking/creating ONE password, but is a real problem when you check thousands or more...) "Only Bad Coders Badly Code In Perl" (OBC2IP)	[reply]

Replies are listed 'Best First'.

Re: Re (tilly) 2: CGI Password
by arhuman (Vicar) on Mar 28, 2001 at 17:46 UTC

here

Digest::SHA1

UPDATE :

tilly

which is this case is an advantage

[reply]