Hi, That's true. It provides a message digest of 128 bits. It's strong collision resistance is 2^64. So finding a collision is hard even though it is proved less secure than SHA-384 and SHA-512. A rule of thumb in technology is utilizing what is needed. If MD5 is sufficient, utilizing more costly hash functions is unnecessary. Heysem -----Original Message----- From: richard.heyes@xxxxxxxxx [mailto:richard.heyes@xxxxxxxxx] On Behalf Of Richard Heyes Sent: Wednesday, December 31, 2008 12:37 PM To: Phpster Cc: Murray; php-general@xxxxxxxxxxxxx Subject: Re: Is MD5 still considered safe for storing application user passwords? Hi, > ... You should also take into account how crucial your data is. If it's nuclear launch codes I would say that you can't get enough security. Howver if it's an admin system for Bobs local grocery store, then as "Phpster" suggested, a salted hash may well be enough. For example, you could use this: <?php $hash = md5($password . 'salt - bhuyfuyftyfctujvikhgvbhjiftye5645rt68ty97tgifyvcu6yt7d'); ?> -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org (Updated December 20th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
