Meredith L. Patterson wrote:
> Magnus Hagander wrote:
>>> this has implications for storing passwords as MD5 hashes. My
>>>
>> That would be the only system use of MD5. What implications are those?
>>
>> We might want to consider using a safer hash for the password storage at
>> some point, but from what I gather it's not really urgent for *that* use.
>>
> It would be a lot more urgent if we weren't salting, but IIRC we are.
If we really want something safer for system use in passwords, we ought
to be using HMAC instead. I don't believe and weaknesses of MD5 have
been found when it is used for HMAC. It has the added advantage that
there is no direct storage of the password itself, even in hashed form.
Joe