I wonder when people will learn that there are guys whose only job is to think on these things. And the outcome cannot be beaten by in-house solutions no matter what, first because they do that 8 hours a day, 5 days a week. An inhouse solution simply cannot compete. Not to mention that usually the knowledge on the subject is less than satisfactory, when it comes about regular Joe the programmer. I wonder how many on this list know what's the SHA algorithm. I frankly admit that I have no idea how it is built and the truth is I don't care. All I know is for the time being is considered the most secure. Why would I try to compete those guys? Any of them could eat me at his breakfast.
Bottom line: stick to industry-proven solutions. Every single time. No matter if it's storing passwords, or using sql parameters instead concatenating the sql and checking for invalid input (this was discussed a while ago). Stick to standards and you'll be safe. Try do it on your own, sooner or later someone would get thru. It's not "if", it's just "when". -----Original Message----- From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On Behalf Of Gérard Lochon Sent: Thursday, December 22, 2011 1:01 AM To: profoxt...@leafe.com Subject: Re: Alternatives to storing a user's password in your database From: "MB Software Solutions >>> I defy anyone to recover the password from the stored value :-). >> >> >> There is a big risk of collision using your method. >> As the result set is composed of only 65128 different values, it >> doesn't take a long time to input in the routine a string whose >> result will be the same value as the stored one ... > Are you saying that two different values could end up with the same > resulting value from his algorithm? Exactly. You can enter 256**20 (1.461E+48) different strings, but only 65128 checksums are possible with this algorithm. [excessive quoting removed by server] _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/000a01ccc036$f321b020$d9651060$@gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
