[pLog-svn] Salted MD5

[Mark Wu]

Here comes more secure algorithm:

sha256(md5($password)+md5($your_provide_private_key));

I use sha256 here.

Here also comes the pure php sha256 implementation:

http://nanolink.ca/pub/sha256/

If the server has "hash" pecl, it will use it instead of the pure one.

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> Sent: Monday, March 10, 2008 7:25 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Salted MD5
> 
> Hi Mark
> 
> I welcome your suggestion and think that this is valuable 
> protection against rainbow table attacks.
> 
> We already had an issue with the revealed admin password 
> hash. This would have been less severe with the saltet md5.
> 
> Thanks for suggesting!
> 
> reto
> 
> Mark Wu wrote:
> > Hi All:
> >  
> > I plan to upgrade our password algorithm to salted MD5, take the 
> > following for eaxample:
> >  
> > sha1(md5($password) + user_defined_private_key);
> >  
> > I will also remain an option in lifetype admin panel for 
> user to use 
> > the old MD5 way to keep compatability.
> >  
> > If we use the algorithm above, It is also possible to 
> convert the old 
> > hashed password to new hased password.
> >  
> > How do you think?
> >  
> > 
> http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht
> > ml
> >  
> > These kind of online reverse lookup table sites making the MD5 only 
> > algorithm more dangerous.
> >  
> > Mark
> >  
> >  
> > 
> > 
> > 
> ----------------------------------------------------------------------
> > --
> > 
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn