PHP Developers Network

[twinedev]

While is has been preached here for a while that MD5 is not a good choice to use for password hashing, it was definitely confirmed:

http://phk.freebsd.dk/sagas/md5crypt_eol.html

As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.

More info: http://www.zdnet.com/blog/security/md5- ... safe/12317 including:

The primary cause [of the decrypting of some of the 6.4 million passwords leaked] is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 algorithm.

Saw an article this morning that eharmony was also compromised, however didn't catch if they are also being easily decrypted.

-Greg

[Celauran]

This simply cannot be mentioned often enough. Thanks for posting this.

[twinedev]

Add another one to the list.... last.fm
http://www.theverge.com/2012/6/7/307063 ... sword-leak

[twinedev]

I declare it "(Inter)National Change Your Password Day" LOL

[requinix]

As others have mentioned elsewhere, the whole "scrambler" thing bothers me.

Meanwhile SHA-1 is getting towards the end of its lifetime too. Current recommendations are at least SHA-256.

[greyhoundcode]

Current recommendations are at least SHA-256.

Or indeed to move away from such rapidly executing hash functions altogether.

[twinedev]

Or indeed to move away from such rapidly executing hash functions altogether.

So then what do you suggest?

[Celauran]

bcrypt with a high work factor.

[Live24x7]

Time to get back and closely read:

LOGIN & REGISTRATION Script Tutorial at viewtopic.php?f=28&t=135287

[requinix]

I thought MD5 secured and safe. Is it true that it is considered no longer safe??

Yes. And stop spamming.