[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Storing passwords
- From: William Ahern <william@...>
- Date: Tue, 22 May 2012 00:02:05 -0700
On Mon, May 21, 2012 at 10:19:53PM +0200, Paco Willers wrote:
> Thanks to all!
> I now use http://www.keplerproject.org/md5/. The md5.sumhexa(message)
> function is what I was looking for. This library also contains several
> other functions which have my interest.
> About bcrypt and others... As mentioned, they are safer, but as long as my
> application in development (a telnet game) receives transmitted passwords
> as plain-text, there is a new challenge for me to solve that first. :-)
If you insist on using bare MD5, you should at least use HMAC-MD5, using the
password as the secret key and the salt as the message. MD5 alone is
effectively broken for all cryptograhic uses.
It's one thing to be explicit about not providing a particular security
measure, in this case transport security (i.e. unencrypted tranmission).
It's quite another to implement a measure incorrectly. Using MD5 alone is
barely a step up from ROT13 at this point. At least with ROT13 there're no