[cgiapp] [announce] OO MVC jumpstart/starter application

[Michael Peters]

Mark Rajcok wrote:

> Thanks, I didn't realize I was just hashing, not really encrypting.  I'll
> switch.  What would you recommend instead?  Crypt::PasswdMD5?  and randomly
> generate a salt each time I write the encrypted password to the database?

Using a random (or pseudo-random) salt will defeat rainbow tables. Not only does it make the 
password "longer" and less feasible for a rainbow table (the tables grow exponentially as the number 
of characters in the pw grows) but it means that 2 people with the same password will actually have 
different MD5 hashes.

At this point no one has broken MD5 (you can create MD5 collisions if you know what you're doing, 
but this doesn't mean you can reverse an MD5 hash). But everyone also agrees that SHA1 is more 
secure than MD5. Although at this point it doesn't matter which one you chose because your hashing 
algorithm is not going to be your weakest link.

-- 
Michael Peters
Plus Three, LP