Re: PGSQL encryption functions

On Tue, Nov 01, 2005 at 17:00:50 -0500, "Mark R. Dingee" <mark.dingee@cox.net> wrote:
> Bruno,
> 
> I use an authenticate() function as a part of state maintenance in a PHP web 
> app.  In the function, I generate an encrypted token that is then used in the 
> validation process on subsequent pages.  md5 works, but I've been able to 
> brute-force crack it very quickly, so I'm looking for an alternative.  Any 
> thoughts would be greatly appreciated.

This isn't a problem with MD5. While MD5 does have some theoretical weaknesses,
they aren't really an issue in this case.

Why are you using a hash at all? If you are using the hash as a key, why not
just use a random string instead? The web browser could be handed a session id
and random string and on the server you would have a table indexed by session
ids that includes the random string.

On many systems you can use /dev/urandom as a source of random data. Since
you don't seem to be concerned about sniffing, /dev/random is probably overkill
and having it block when low on entropy would probably be a problem for you.