Mark Clements schreef:
"Tels" nospam-abuse@bloodgate.com wrote in message news:200701231852.29592@bloodgate.com...
What function you actually use for H(), may it be MD5 or SHA1, is practically irrelevant here, tho, but when you migrate to such a scheme, you might as well use SHA256 instead of MD5 (even if it is just to quiten all the "MD5 is insecure" cryers :)
In security, doing things because "you might as well" is an incredibly bad idea! A security system should only be changed to be a _better_ security system (and even then after it has been proven to be better). _Never_ because it's 'probably not worse'!
- Mark Clements (HappyDog)
Hoi, This discussion /is /about changing the security. Changing it because the need is felt for the current system to be improved. So when you have the option between several choices where one is theoretically substantially better, it is worth the consideration. As many people have mentioned it pays to use well tested, well known algorithms. As many people have mentioned, it pays to double check that the implementation is done perfectly. Public perception about security is important. When people think that something is not secure, they are a step closer to proving that something is not secure. Thanks, GerardM