On 1/22/07, Edward Z. Yang <edwardzyang(a)thewritingpot.com> wrote:
If this is indeed the case, we should be considering
migrating away from
MD5 to a more secure algorithm like SHA256. The breadth of attacks
against this hashing scheme have grown incredibly sophisticated, and
over where I consult, we generally discourage new developers from using
MD5 for any security related purposes (still makes a fine good checksum
though).
Aren't the vulnerabilities limited to the attacker creating a
collision of two strings *that the attacker created* sharing a common
prefix? Are they relevant to a password hash? There's no preimage
attack against MD5, and that strikes me as the only thing relevant to
passwords. Things like certificates can be a problem, of course,
depending on exact implementation.