2010/8/24 Peter Lind <peter.e.lind@xxxxxxxxx>: > On 24 August 2010 16:25, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote: >> 2010/8/24 Bob McConnell <rvm@xxxxxxxxx>: >>> From: Peter Lind >>> >>>> On 24 August 2010 15:43, Gary <php-general@xxxxxxxxxxxxxxx> wrote: >>>>> Jan G.B. wrote: >>>>> >>>>>> The weakness of MD5 is mainly because MD5 collisions are possible. >>>>>> That means, that different strings can have the same MD5-hash... >>>>> >>>>> http://en.wikipedia.org/wiki/MD5#cite_note-1 >>>> >>>> It's worth noting that that essentially does not touch upon whether or >>>> not MD5 can be considered safe or not as a means to store password >>>> information. The researchers have discovered ways of crafting inputs >>>> to easily find colliding hashes - they have not discovered any easy >>>> means to craft an input that will collide with a given hash. >>> >>> That's a simple matter of brute force, which can be done once and saved >>> for instant use later. However, putting a salt into your algorithm >>> pretty much eliminates the chances of success using that attack. >>> >>> Bob McConnell >>> >> Thanks.. >> actually it's quite annoying when you post an answer which >> tries to explain a subject and people just post a link as >> response to one citation which somehow lacks relevance on the topic. >> > > The link posted was all the relevance there is. MD5 is not weak in the > sense that it is easy to find collisions when all you have is a hash > (which is what you were implying). MD5 is only weak in the sense that > it's possibly to generate two input texts such that the MD5 hashes of > both will collide. > The "other" weakness of MD5 (the more relevant one here) is that > calculating an MD5 hash is relatively fast today. Which means you can > generate rainbow tables of the most common inputs in relatively little > time. Of course, these rainbow tables are worthless against more > secure passwords and/or against salted passwords. > > Regards > Peter > Hi peter, this clears it up for me. So I was quite correct with my post. :-) Have a nice day. Regards, Jan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
