On 24 August 2010 16:25, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote: > 2010/8/24 Bob McConnell <rvm@xxxxxxxxx>: >> From: Peter Lind >> >>> On 24 August 2010 15:43, Gary <php-general@xxxxxxxxxxxxxxx> wrote: >>>> Jan G.B. wrote: >>>> >>>>> The weakness of MD5 is mainly because MD5 collisions are possible. >>>>> That means, that different strings can have the same MD5-hash... >>>> >>>> http://en.wikipedia.org/wiki/MD5#cite_note-1 >>> >>> It's worth noting that that essentially does not touch upon whether or >>> not MD5 can be considered safe or not as a means to store password >>> information. The researchers have discovered ways of crafting inputs >>> to easily find colliding hashes - they have not discovered any easy >>> means to craft an input that will collide with a given hash. >> >> That's a simple matter of brute force, which can be done once and saved >> for instant use later. However, putting a salt into your algorithm >> pretty much eliminates the chances of success using that attack. >> >> Bob McConnell >> > Thanks.. > actually it's quite annoying when you post an answer which > tries to explain a subject and people just post a link as > response to one citation which somehow lacks relevance on the topic. > The link posted was all the relevance there is. MD5 is not weak in the sense that it is easy to find collisions when all you have is a hash (which is what you were implying). MD5 is only weak in the sense that it's possibly to generate two input texts such that the MD5 hashes of both will collide. The "other" weakness of MD5 (the more relevant one here) is that calculating an MD5 hash is relatively fast today. Which means you can generate rainbow tables of the most common inputs in relatively little time. Of course, these rainbow tables are worthless against more secure passwords and/or against salted passwords. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
