Page 2 of 2

Posted: Mon Jan 22, 2007 12:18 pm
by feyd
As long as you're using decent salts, I have no major problem with people continuing to use md5() or sha1() for a while longer. However as computer processing power because more and more powerful, I would suggest moving away from the more collision prone hashes to larger hashes. Equally, the more secure a site should be, the larger a hash you should be going for.

And of course, never ever ever double hash.

Posted: Mon Jan 22, 2007 12:31 pm
by shiznatix
feyd wrote:And of course, never ever ever double hash.
im gonna do it just to spite you :twisted:

Posted: Mon Jan 22, 2007 12:40 pm
by Kieran Huggins
sounds like a McDonalds breakfast upgrade...

Posted: Mon Jan 22, 2007 12:45 pm
by Luke
feyd wrote:And of course, never ever ever double hash.
thanks for that feyd... I remember doing that a while back... because to me it seemed logical. :oops:

Posted: Mon Jan 22, 2007 12:49 pm
by Kieran Huggins
what's the danger in a double hash?

I presume you mean hash(hash($something))

Posted: Mon Jan 22, 2007 1:06 pm
by Mordred
Or here it is as a nursery rhyme (better fit for newbie developers, eh ;) ) (last word is stressed)

Never-never ever-ever double-double hash!

Posted: Mon Jan 22, 2007 1:07 pm
by Luke
I'm assuming it has something to do with the fact that a hash has less available characters so it's easier to predict or something? feyd... help me out here. :?

Posted: Mon Jan 22, 2007 1:30 pm
by feyd
A double hash simply decreases the entropy. I'd rather not rehash the same discussion, so have a look at the following:

viewtopic.php?t=54132
viewtopic.php?t=50944
viewtopic.php?t=49803
viewtopic.php?t=45069
viewtopic.php?t=37210
viewtopic.php?t=39096

Posted: Mon Jan 22, 2007 2:50 pm
by Kieran Huggins
feyd wrote:...I'd rather not rehash...
8O

Isn't that what we're talking about already? rehashing?

Thanks for the links - I got it now :wink: