MD5 Passwords in MySql?
Daniel O'Connor
doconnor at gsoft.com.au
Sun Mar 24 18:29:38 EDT 2013
On 25/03/2013, at 7:33, Charles Bradshaw <brad at bradcan.homelinux.com> wrote:
>> That seems very wrong to me.
>
> It might be a kludge, but it's not wrong. It avoids storing plain text
> passwords, which are always a risk. The purpose of MD5 digest is to make
> passwords truly private to the user. Not even root knows users passwords
> when stored in shadow(MD5).
>
> The only risk to shadow passwords is a brute force attack which is
> relatively easy to detect and foil.
FYI a single round of MD5 is considered quite weak these days.
The whole point of hashing a password is to make it difficult to find a password if the password DB is leaked. MD5 is no longer sufficient for this (even with salt).
A modern GPU can brute force billions of passwords per second and humans suck at generating them.
--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
More information about the Info-cyrus
mailing list