[dundee] Awesome Password Tricks
Rick Moynihan
rick.moynihan at gmail.com
Fri Feb 26 13:40:57 UTC 2010
On 26 February 2010 12:03, Gavin Carr <gavin at openfusion.com.au> wrote:
> Hi Rick,
>
> One criticism though: the crypto here is weak. See this post for lots of
> gory details:
Yes, the crypto isn't exactly military grade (not that that's all it's
cracked up to be ;-) ), but in practice it's "good enough". My
concerns with passwords etc... are primarily aimed at mitigating risks
associated with data-breaches... The economics of attacks mean that
though the theoretical threat to not using md5-hmac is real, it's
unlikely that you'll face a determined attack.
Still I entirely agree with your points about using md5-hmac in
preference to vanilla md5. It would be good to port all these
implementations to use md5-hmac.... sadly of course changing the
algorithm means all your (my) passwords need to be changed.
R.
More information about the dundee
mailing list