Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
i tried to make it really well md5īd ;)
  1. I think 1 application of MD5 would do the job as I don't think MD5 hashes can be reversed at present. ie MD5 has not been cracked yet apart from "collision" attacks.
    However there are much more secure hashes like SHA-2.
    See http://en.wikipedia.org/wiki/MD5#Security, and http://en.wikipedia.org/wiki/SHA-2

  2. There are reasons why you might want to do a very large number of repeated invocations of a hash function. This is called Key stretching (see "(A)" below)
    However, "very large" is a lot more than 3 ;). Maybe 1,000s or much, much more.
    eg maybe see how many invocations you can do in 0.1 sec or 1 sec on the target system, and use that number of hash invocations.
    Adjust bcrypt cost to prevent future password hash attacks proposes a method which will keep password hashes strong, even as CPU speeds increase.

  3. Also, you should ideally use a large salt that is different for each user. (see "(B)" below)

From http://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification:
Password verification

A related application is password verification. Storing all user passwords as cleartext can result in a massive security breach if the password file is compromised. One way to reduce this danger is to only store the hash digest of each password. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. (Note that this approach prevents the original passwords from being retrieved if forgotten or lost, and they have to be replaced with new ones.) The password is often concatenated with a random, non-secret salt value before the hash function is applied. The salt is stored with the password hash. (B) Because users have different salts, it is not feasible to store tables of precomputed hash values for common passwords. (A) Key stretching functions, such as PBKDF2, Bcrypt or Scrypt, typically use repeated invocations of a cryptographic hash to increase the time required to perform brute force attacks on stored password digests.

Main article: http://en.wikipedia.org/wiki/Password_cracking

I hope this is of interest! :)

In reply to Re^3: Digest::MD5 variation problem? by zork42
in thread Digest::MD5 variation problem? by AlexTape

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (2)
As of 2024-03-19 06:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found