On Wed, Jun 8, 2011 at 11:43 AM, Radosław Smogura
<rsmogura@softperience.eu> wrote:
>
> You should actually only consider safty of storing of such passwords in
> database. If with md5 the password isn't digested like in DIGEST HTTP auth,
> and only md5 shortcut is transfferd it has no meaning if you will transfer
> over network clear password or md5 password (ok has if you use same password
> in at least two services both storing password with md5). On higher level
> you may note that MD5 is little bit out-dated and it's not considered
> secure, currently I think only SHA-256 is secure.
>
> If you suspect that someone on your network may sniff password use cert auth
> or kerberos or one of it mutations.
While MD5 is considered broken for certain applications, it's still
perfectly valid for auth purposes.
