-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brion Vibber wrote:
As a note; AFAIK versions of PHP prior to 5.1.2 include only MD5 and SHA-1 digest functions built-in, and the rumor is SHA-1 isn't safe enough either. [snip]
I would recommend rolling a pure-PHP implementation of SHA-256 and siwtching to the hash implementation if it is present. The hash isn't computed very often: only during login and password setting, so any performance penalty incurred wouldn't be that bad. Plus, there are already a number of quite fast SHA-256 implementations out there for PHP. I personally recommend: http://code.tatzu.net/sha256/
With appropriate hash functions present, we could indeed auto-upgrade hashes on login. (A new field is not necessarily required; the existing hash field can be upgraded to indicate the hash algo along with the hash value. And in a happy case of coincidence, the password hash fields are tinyblobs, so anything that fits in 255 bytes is cool...)
Works then, since raw binary SHA-256 output is only 256 bits (64 bytes, I believe). We can easily spare another 7 bytes to prepend it with something along the lines of "sha256:"
Simetrical wrote:
Aren't the vulnerabilities limited to the attacker creating a collision of two strings *that the attacker created* sharing a common prefix? Are they relevant to a password hash? There's no preimage attack against MD5, and that strikes me as the only thing relevant to passwords. Things like certificates can be a problem, of course, depending on exact implementation.
Well, in spite of these extremely devastating attacks in the collision area, the keyspace of MD5 is extremely small: 128 bits is small enough that a birthday attack is extremely feasible. MD5 also has many comprehensive rainbow tables (including one that's 4.9 TB large!) I think it's worth migrating, even if the security increase is comparitatively small. It's not difficult to do.