[pLog-svn] Salted MD5
Mark Wu
markplace at gmail.com
Mon Mar 10 10:26:00 EDT 2008
Here comes more secure algorithm:
sha256(md5($password)+md5($your_provide_private_key));
I use sha256 here.
Here also comes the pure php sha256 implementation:
http://nanolink.ca/pub/sha256/
If the server has "hash" pecl, it will use it instead of the pure one.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> Sent: Monday, March 10, 2008 7:25 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Salted MD5
>
> Hi Mark
>
> I welcome your suggestion and think that this is valuable
> protection against rainbow table attacks.
>
> We already had an issue with the revealed admin password
> hash. This would have been less severe with the saltet md5.
>
> Thanks for suggesting!
>
> reto
>
> Mark Wu wrote:
> > Hi All:
> >
> > I plan to upgrade our password algorithm to salted MD5, take the
> > following for eaxample:
> >
> > sha1(md5($password) + user_defined_private_key);
> >
> > I will also remain an option in lifetype admin panel for
> user to use
> > the old MD5 way to keep compatability.
> >
> > If we use the algorithm above, It is also possible to
> convert the old
> > hashed password to new hased password.
> >
> > How do you think?
> >
> >
> http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht
> > ml
> >
> > These kind of online reverse lookup table sites making the MD5 only
> > algorithm more dangerous.
> >
> > Mark
> >
> >
> >
> >
> >
> ----------------------------------------------------------------------
> > --
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list