[pLog-svn] Salted MD5

Jon Daley plogworld at jon.limedaley.com
Mon Mar 10 10:47:59 EDT 2008 

 	How much more secure is than simply:

md5($password . $private_key)

And are there any downsides of the new method - ie. will it fail on 
upgrades, or fail for certain servers, etc?


On Mon, 10 Mar 2008, Mark Wu wrote:

> Here comes more secure algorithm:
>
> sha256(md5($password)+md5($your_provide_private_key));
>
> I use sha256 here.
>
> Here also comes the pure php sha256 implementation:
>
> http://nanolink.ca/pub/sha256/
>
> If the server has "hash" pecl, it will use it instead of the pure one.
>
> Mark
>
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
>> Sent: Monday, March 10, 2008 7:25 PM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] Salted MD5
>>
>> Hi Mark
>>
>> I welcome your suggestion and think that this is valuable
>> protection against rainbow table attacks.
>>
>> We already had an issue with the revealed admin password
>> hash. This would have been less severe with the saltet md5.
>>
>> Thanks for suggesting!
>>
>> reto
>>
>> Mark Wu wrote:
>>> Hi All:
>>>
>>> I plan to upgrade our password algorithm to salted MD5, take the
>>> following for eaxample:
>>>
>>> sha1(md5($password) + user_defined_private_key);
>>>
>>> I will also remain an option in lifetype admin panel for
>> user to use
>>> the old MD5 way to keep compatability.
>>>
>>> If we use the algorithm above, It is also possible to
>> convert the old
>>> hashed password to new hased password.
>>>
>>> How do you think?
>>>
>>>
>> http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht
>>> ml
>>>
>>> These kind of online reverse lookup table sites making the MD5 only
>>> algorithm more dangerous.
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>>
>> ----------------------------------------------------------------------
>>> --
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

We are all made different, but we are all sinners.
-- Jim Herron

More information about the pLog-svn mailing list