Serendipity Forums

garvinhicking wrote:Ha. Wait.

We can't update the MD5 hashes, because we don't know the passwords of the users.

This is easy - Use a rainbow table!

stm999999999 wrote:

garvinhicking wrote:Ha. Wait.

We can't update the MD5 hashes, because we don't know the passwords of the users.

This is easy - Use a rainbow table!

Sadly that would take care of almost everyone's password. I agree that it should of course be salted. Though the best thing is for people to use unique passwords for each and every site. I happen to use http://passwordmaker.sourceforge.net/ so that no two passwords are ever the same. If your site gets hacked and exposes unsalted hashes of the users which then can easily found with rainbow tables, very bad for the users. The best idea is to salt the already calculated hash into the new saltedhash. The downside is having to always hash twice

For example my password = password and username = username

Existing hash is for "password"
Then you use the following to generate the new hash Results in this new hash to be used This would render rainbow tables useless while having backwards compatibility and could use the username, sitename, or a custom salt. All without knowing the users current password.

Unfortunately for people that use the same passwords for all of their accounts it doesn't protect against 'honey pot' sites that are set up to store the passwords in plain text and then they use those to try and access your other accounts on other sites.

As far as moving away from md5, I can't see any reason to do so. I believe the chances of a collision is too slim for this implementation.