On 1/22/07, Edward Z. Yang edwardzyang@thewritingpot.com wrote:
If this is indeed the case, we should be considering migrating away from MD5 to a more secure algorithm like SHA256. The breadth of attacks against this hashing scheme have grown incredibly sophisticated, and over where I consult, we generally discourage new developers from using MD5 for any security related purposes (still makes a fine good checksum though).
Aren't the vulnerabilities limited to the attacker creating a collision of two strings *that the attacker created* sharing a common prefix? Are they relevant to a password hash? There's no preimage attack against MD5, and that strikes me as the only thing relevant to passwords. Things like certificates can be a problem, of course, depending on exact implementation.