-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ivan Krstić wrote:
New crypto implementations often have far more
security issues than the
primitives they're implementing. Despite the known attacks on SHA-1,
it's perfectly fine for password hashing, and it doesn't require
external libraries. Use it, be merry.
Actual encryption (both design and implementation) is indeed rocket
science, but implementing cryptographic hashes is not difficult at all
as long as you understand the algorithm and a good battery of unit tests
to make sure your implementation is working properly.
Yes, actually *designing* a hash function is difficult. And yes, SHA-1
*probably* is still good enough. But if we're going to go the trouble of
migration (small trouble, but trouble that requires DB schema changes
nonetheless (be they formal or informal)), we might as well do it right.
I remember one security expert saying that there is no smoke yet, but
the alarm bells have gone off for SHA-1 and it's time to walk (not run)
for the exits.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFFtXvcqTO+fYacSNoRApoGAJ9Puqsb5SRQoJJtMf4JNzCMJ32B7QCdG7D0
Wj9X9jjaIV3WSiduM46XJXs=
=eN5t
-----END PGP SIGNATURE-----