NYCPHP Meetup

[Ben Sgro]

Hello,
> Hi Anthony,
>
> MD5 and SHA1 password hashes are considered weak. You are correct that
> someone got a hold of your hashes they could use a dictionary of
> common passwords to devise some of your user's passwords.
>   
It makes me laugh a little when people say MD5 or SHA1 is weak or 
broken. If its broken/weak
then you shouldn't have much trouble getting the original text from 
this: 5528684eb56e246101ffcd1c783a8f7d

or this: 58e231c3666adef0a18d97e3485caf33
or this: d0708105f5a85704728118925646b1ca

> There are a few ways to deal with this. The simplest is to just force
> users to create complicated passwords. Make them use passwords that
> are at least 8 characters and contain at least one digit and one
> non-alphanumeric character. This makes a dictionary attack much less
> practical (but by no means impossible if you have a lot of resources).
> The other way is to use a hashing algorithm with a larger bitwidth.
> Another is to add a salt. Better still, use all of these techniques.
>   
Right - so MD5 is not weak. Its the user's password choice that is weak. 
And a policy that enforces
users meet a minimum requirement is a start to a much tougher system to 
crack; be it md5 hashes of passwords
or private/public key implementations - they are all flawed if the 
password itself is easily guessed.

- Ben