[cgiapp] [announce] OO MVC jumpstart/starter application

Ron Savage ron at savage.net.au
Thu Dec 4 23:23:45 EST 2008


Hi Mark

On Thu, 2008-12-04 at 23:07 -0500, Mark Rajcok wrote:
> On Thu, Dec 4, 2008 at 10:38 PM, Mark Rajcok <mrajcok at gmail.com> wrote:
> 
> > For those people who still think MD5 offers some type of security, I
> >> suggest you direct readers to:
> >> http://en.wikipedia.org/wiki/Rainbow_table
> >
> >
> > Thanks, I didn't realize I was just hashing, not really encrypting.  I'll
> > switch.  What would you recommend instead?  Crypt::PasswdMD5?  and randomly
> > generate a salt each time I write the encrypted password to the database?
> >
> 
> I wrote too soon... switching may be difficult.  I'm using
> CAP-Authentication, and it looks like my only options are crypt, MD5, SHA1.
> Is crypt any better?
> Maybe I should just change the tutorial and remove any talk of security?

SHA1 is more secure, but it's a question of what you are trying to
achieve.

For example, if you transmit the password in clear, or an MD5 or SHA1
version of it, if someone were to intercept any of those they could
replay the interception (without caring about the hashing technique).

If you wish to avoid that, use https.

Or, if you wish to simply disguise the password, use SHA1.

-- 
Ron Savage
ron at savage.net.au
http://savage.net.au/index.html




More information about the cgiapp mailing list