Re: password encryption

On Wed, 21 Aug 2002, Tim Ellis wrote:

> I always run my passwords through md5sum(), which is an open source
> implementation, and thus seems to've been written in every language out
> there.

But a straight md5sum leaves you open to a dictionary attack.  You want
to add some salt by doing something like this:

    salt = random_4_char_string;
    encrypted_password = salt + md5sum(salt + cleartext_password);

To verify, just extract the salt from the encrypted password and redo the
calculation.

A dictionary attack is now much less feasible because the same cleartext
password can encrypt to millions of different ciphertext passwords.

--
David.