[cgiapp] Re: [announce] OO MVC jumpstart/starter application
Mark Stosberg
mark at summersault.com
Fri Dec 5 09:41:25 EST 2008
On Fri, 05 Dec 2008 15:23:45 +1100
Ron Savage <ron at savage.net.au> wrote:
> Hi Mark
>
> On Thu, 2008-12-04 at 23:07 -0500, Mark Rajcok wrote:
> > On Thu, Dec 4, 2008 at 10:38 PM, Mark Rajcok <mrajcok at gmail.com> wrote:
> >
> > > For those people who still think MD5 offers some type of security, I
> > >> suggest you direct readers to:
> > >> http://en.wikipedia.org/wiki/Rainbow_table
> > >
> > >
> > > Thanks, I didn't realize I was just hashing, not really encrypting. I'll
> > > switch. What would you recommend instead? Crypt::PasswdMD5? and randomly
> > > generate a salt each time I write the encrypted password to the database?
> > >
> >
> > I wrote too soon... switching may be difficult. I'm using
> > CAP-Authentication, and it looks like my only options are crypt, MD5, SHA1.
> > Is crypt any better?
> > Maybe I should just change the tutorial and remove any talk of security?
>
> SHA1 is more secure, but it's a question of what you are trying to
> achieve.
>
> For example, if you transmit the password in clear, or an MD5 or SHA1
> version of it, if someone were to intercept any of those they could
> replay the interception (without caring about the hashing technique).
>
> If you wish to avoid that, use https.
>
> Or, if you wish to simply disguise the password, use SHA1.
I'll just add that I back up Ron's recommendations here.
Mark
--
. . . . . . . . . . . . . . . . . . . . . . . . . . .
Mark Stosberg Principal Developer
mark at summersault.com Summersault, LLC
765-939-9301 ext 202 database driven websites
. . . . . http://www.summersault.com/ . . . . . . . .
More information about the cgiapp
mailing list