tg-php@xxxxxxxxxxxxxxxxxxxxxx wrote:
Still.. that has nothing to do with how well known MD5 is (so I stand by my point).
Was not trying to refute your point. Just pointing something out with
regards to the "security" of MD5 hashes, and what being "well known" or
at least popular does for you. What you say is true...and at the end of
the day locks only keep honest people out...
(but something like this could be a decent way to check for strength of
passwords..)
-B
All these databases are is a giant list of pre-MD5'd strings. Brute force stuff, no magic behind it that allows for reversing MD5. You could technically do that with just about any crypto or hashing system. Just happens that MD5 is one that's been focused on and more complicated systems would require exponentially more variables in what you'd have to enter. For instance, you could do this with PGP, but I'm guessing you'd have to have at least two pass phrases and how many things go into generating the public and private keys, plus the message/file that was encrypted. So for one short text string, you could possibly have a database as large as all the MD5 projects put together... but you could potentially do the same thing. At that point it's highly prohibitive though.
I got the idea that MD5 really wasn't what he was looking for anyway, so going into detail about the security of it didn't seem fruitful. I talk too much as it is. hah
This is a good point though. MD5 isn't great security, particuarly with the databases like the one you mentioned, but most of us aren't storing national security documents. As with security since the dawn of time, it's all a matter of how valuable is what you're protecting versus the cost of implementing a protection scheme. 7-11 doesn't hire secret service to protect against midnight robberies.
-TG
= = = Original message = = =
tg-php@xxxxxxxxxxxxxxxxxxxxxx wrote:
So the fact that MD5 is a well known algorithm doesn't really make a difference
as far as security goes.
Except for the fact of the growing number of databases that will map the
hashes back to the clear text (for example: http://md5.benramsey.com/)
Of course it is nice because it is a common implementation, and can be
done on the server side, as well as the client side.
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
