Joshua D. Drake wrote:
Simply put, MD5 is no longer strong enough for protecting secrets. It's just too easy to brute-force. SHA1 is ok for now, but it's days are numbered as well. I think it would be good to alter SHA1 (or something stronger) as an alternative to MD5, and I see no reason not to use a random salt instead of username.If you aren't paying close enough attention to your database server tosee that someone is trying to brute force your MD5 password you have bigger problems.
The comments on md5 and sha1 are both inaccurate if you're comparing them. Encrypted passwords are as strong as the design of the password. In some cases, SHA-1 is a faster brute force because SHA-1 is a faster hash. There are two issues here. Using SHA-1 to hash a password, and the strength of a password. If the implementation of SHA-1 is not effective, there could be weaknesses that enable reducing the time required to perform exhaustive/dictionary attacks against sha-1 protected password.
I'm out of context, but I had to make some corrections. -- Best Regards, Lance James Secure Science Corporation www.securescience.com Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Have Phishers stolen your customers' logins? Find out with DIA https://slam.securescience.com/signup.cgi - it's free!