New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure password hash #794

Closed
lgvz opened this Issue Aug 28, 2014 · 3 comments

Comments

Projects
None yet
3 participants
@lgvz

lgvz commented Aug 28, 2014

The only reason to hash passwords is security, which is why it's pointless to provide an insecure password hash. And you know MD5 is not secure. It's useless. All it can do is provide false sense of security.

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Aug 28, 2014

Member

You are completely right, this legacy code is harmful at best. I'll deprecate the functionality and remove it later.

Member

s-ludwig commented Aug 28, 2014

You are completely right, this legacy code is harmful at best. I'll deprecate the functionality and remove it later.

@etcimon

This comment has been minimized.

Show comment
Hide comment
@etcimon

etcimon Aug 28, 2014

Contributor

The MD5 algorithm is still used as HMAC-MD5 in PBKDF2 (pass+salt | iterate X times), it's also useful for simple message signing or as a pseudo-random algo for uniform key hashing (data distribution). It should probably be displaced though

Contributor

etcimon commented Aug 28, 2014

The MD5 algorithm is still used as HMAC-MD5 in PBKDF2 (pass+salt | iterate X times), it's also useful for simple message signing or as a pseudo-random algo for uniform key hashing (data distribution). It should probably be displaced though

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Aug 28, 2014

Member

It's also not as much MD5 itself that is the main issue with the simple password hash function, but that it doesn't use HMAC and only a 32-bit salt. It was just meant as a placeholder and never really for public use.

Member

s-ludwig commented Aug 28, 2014

It's also not as much MD5 itself that is the main issue with the simple password hash function, but that it doesn't use HMAC and only a 32-bit salt. It was just meant as a placeholder and never really for public use.

@s-ludwig s-ludwig closed this in e166078 Aug 28, 2014

marcioapm added a commit to marcioapm/vibe.d that referenced this issue Sep 4, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment