Frederic Da Vitoria wrote on Fri, 30 Oct 2015:
2015-10-30 16:39 GMT+01:00 Jonas Maebe <jonas.ma...@elis.ugent.be>:
Never ever use CRC32 in a crypto context, it's completely unsuited and
easily cracked. The subject of this thread is already about finding an
implementation for scrypt, which is a (at this time considered) secure
hashing algorithm.
My point is precisely that in this situation, there would be nothing to
crypt. Just check validity.
Yes, that's what *secure* hash functions are for. CRC32 is not secure
in any way. scrypt and bcrypt are secure.
So use CRC64 if you want (the size difference
won't probably be relevant by current standards), but don't store the
actual password. What isn't there can't be cracked, not even with future
technology :-)
It can already be cracked very quickly with yesterday's technology,
using so-called rainbow tables. Or even just by quickly creating a
hash collision, see e.g.
http://www.irongeek.com/i.php?page=videos/weak-hashing-algorithms-outlook-pst-file-crc32-password-cracking-example or
http://www.woodmann.com/fravia/crctut1.htm
Jonas
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
