Wednesday, January 16, 2002, 6:45:40 PM, [EMAIL PROTECTED] wrote: > I'm using a nice little GDBM file for authentication. It just stores users > and passwords as SHA1 hashes. When I need to authenticate someone (fewer > than 15 lines in the dbm file) I just tie it and compare the SHA'd user > input against the hex value in the dbm file. (The file is not publicly > readable.)
> It has been suggested, however, that this is not adequately secure and that > the passwords would be better stored crypted or some such. I don't really > see the difference between a SHA password and a crypted password in this > context. Wouldn't they be equally difficult to crack? crypt and SHA do basically the same thing - take some bits (a password in this case) and turn it into some other sequence of bits, unpredictably. that is, assuming you're talking about the "crypt" function that's often used when dealing with unix passwd files. SHA1 is probably more "secure" than crypt, but saying that the only way someone would try cracking your passwords would be a dictionary attack, where they try hashing lots of potential passwords (dictionary words) and comparing them to the values stored in your dbm file. SHA and crypt() would be equally vulnerable to a dictionary attack. I'd stick with SHA. Hashing functions don't get better than that. -- Best Regards, Daniel [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
