SHA-3 is KECCAK
John Colvin
john.loughran.colvin at gmail.com
Tue Jan 21 02:05:58 PST 2014
On Tuesday, 21 January 2014 at 09:58:34 UTC, Uranuz wrote:
> I don't feel myself confident about crypto and security
> questions, but I need to make password hashing and generating
> of session Id. And make it difficult to pick up password with
> bruto force or dictional with single "usual" computer. I'm
> slightly disappointed that then more I read different articles
> on IT forums then less I understand something. And there are
> several opposite ideas that stunning me.
> 1. All security systems, cipher, etc can be hacked If someone
> wants it
> 2. Do not reinvent the wheel. All have been invented already.
> 3. If you use standart implementation it's high risk than it
> was cracked already.
> 4. Is it really essential to someone tho crack you security.
>
> About md5 I have read that it's already cracked. It's
> vulnerable to length extension attack. As I feel SHA 2 is
> better (but it's not my opinion - it's just subjective
> feeling). And may be more modern algorithm isn't hacked until
> now. Higher variety of standart implemented hash algorithms can
> enable to combine them in different manner to get not standart
> implementation of hash. As I think it can increse security
> against attacks with rainbow tables.
>
> I don't know if I rigth or not. The reason why I asked is that
> I'm implenenting authentication on site written in D. So I want
> to make password hash generation function enough secure to
> forget about it for ~5 years or more. Because there only a
> litle of hash functions implemented in std.digest and they are
> not so strong by security reasons. It makes it not very useful.
>
> P.S. Sorry for my English.
I don't have any significant expertise on this subject, but I did
find this highly rated article useful and interesting:
http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right
Note that it recommends against md5
More information about the Digitalmars-d
mailing list