On Wed, 21 Aug 2002, Tim Ellis wrote:
> I always run my passwords through md5sum(), which is an open source
> implementation, and thus seems to've been written in every language out
> there.
But a straight md5sum leaves you open to a dictionary attack. You want
to add some salt by doing something like this:
salt = random_4_char_string;
encrypted_password = salt + md5sum(salt + cleartext_password);
To verify, just extract the salt from the encrypted password and redo the
calculation.
A dictionary attack is now much less feasible because the same cleartext
password can encrypt to millions of different ciphertext passwords.
--
David.
