Quote:
Originally Posted by kovidgoyal
Oh and just by the way, if you are storing hashed passwords for digest auth, that means you have to hash them with md5, without a salt, which means they can be pretty trivially brute-forced.
|
I never ever would come to the idea to store hashed passwords without a salt no matter which hashing algorithm is used. And if I have the choice, I would never use MD5 for password hashing at all because of its brute force weakness that u too mentioned
(see also:
https://security.stackexchange.com/q...dered-insecure
or this:
"As of 2010, the CMU Software Engineering Institute considers MD5 "cryptographically broken and unsuitable for further use",[29] and most U.S. government applications now require the SHA-2 family of hash functions.[30] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature." (from:
https://en.wikipedia.org/wiki/MD5))