Ruben Rubio wrote:
md5 is unsecure.
Use sha1 ( http://www.php.net/sha1 ) instead
SHA1 has also been partially broken. Until more hash algorithms work
their way into PHP, using both md5 and sha1 plus the remote IP as
mentioned in a previous email would certainly add to the security of the
system.
Personally, I think that md5 is fine for the purpose outlined. I believe
that md5's weakness is in that it's possible to generate collisions, so
since in this case the original email is known, collisions are less
relevant. (They're trying to crack the "password" that is the appended
letters, by brute-forcing combinations of "<character group
1><email><character group 2>". It seems to me that collisions don't
help. Please correct me if I'm wrong - I'm definitely no cryptographer. ;-)
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
