Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Jun 2005 21:53:24 +0400
From: Solar Designer <>
Subject: Re: using John to crack MD5 password with more than 13 characters

> Solar Designer wrote:
> >MD5 (as well as SHA1, etc.) is not intended to be used for password
> >hashing, and it is quite bad at that, -- unless you wrap it in a
> >higher-level algorithm which implements salts and multiple iterations
> >(thousands to millions, -- preferably with the number encoded along
> >with the hashes).
> >
> >For applications written in PHP, you can use my PHP password hashing
> >framework: [...]

On Tue, Jun 07, 2005 at 01:42:19AM -0300, Alceu Rodrigues de Freitas Jr. wrote:
> Thanks about your advices. My application really don't really uses PHP 
> but JSP. :-)
> Of course I would accept any idea about different algoritms to use with 
> Java or Perl too.

The advice and the algorithms would be the same.  I just don't have a
Java or Perl implementation.  If you don't mind reliance on some C
code, you can wrap my crypt_blowfish package into a Perl module (in
fact, I know people did that before).

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ