Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Re: MD5 password encryption on a no frills script

by archen (Pilgrim)
on Oct 25, 2002 at 14:04 UTC ( #207994=note: print w/replies, xml ) Need Help??

in reply to MD5 password encryption on a no frills script

Actually I'm doing pretty much the same thing. Right now I'm using the standard crypt funcition (which I think uses DES). Anyone have any references to the strength of MD5 vs. whatever crypt uses?
  • Comment on Re: MD5 password encryption on a no frills script

Replies are listed 'Best First'.
Re: Re: MD5 password encryption on a no frills script
by fokat (Deacon) on Oct 25, 2002 at 15:39 UTC
    The crypt() family of functions suffers from a poor name selection. They actually hash the original password and produce a result that is unique for a given password but that, if something similar to an inverse could exist, would return either a very large or an infinite set of potential passwords. These functions fall within what is called a cryptographically-strong hash (or digest)

    Neither the DES-based crypt() nor the MD5-based crypt() use a straight application of the respective digest algorythm. Rather, they involve complex transforms that deliberatelly "lose bits" from the supplied plaintext (ie, the password). This adds additional roadblocks to recovering the original password.

    The relative superiority of the MD5-based crypt(), stems from the fact that the MD5-based transformation can be applied to passwords of any length. The two common "flavors" of the DES-based crypt() I'm aware of, have limits in the length of the password.

    While it is true that certain "vulnerabilities" have been shown into the MD5 algorythm, it is still far away from being cracked. Note that DES has been considered obsolete since long, yet the passwords protected by DES-based crypt() still need to be cracked using brute force. I would expect the same from the MD5-based one.

    Here is where using a salt string works best, as this forces the eventual attacker to scan a much larger key space. The salt, tipically a set of random bytes concatenated to the original password and stored in-the-clear along with the hashed password, increase significantly the key space. Thanks to it, the attacker cannot count on building a large set of hashes whose passwords are known; He would have to calculate all of them just for you.

    The MD5-based crypt() allows salts of any length.

    Hope this helps.

Re: Re: MD5 password encryption on a no frills script
by sch (Pilgrim) on Oct 25, 2002 at 14:10 UTC

    According to the FreeBSD Handbook, MD5 should be more secure than DES.

    Hey, if there's code up ^^ there ^^, don't blame me if it doesn't work.

    But today you took me walking, Through a land that we have lost,
    While our children sit at websites, With no access to the cost

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://207994]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (7)
As of 2018-05-24 18:12 GMT
Find Nodes?
    Voting Booth?