Mark Clements schreef:
"Tels" <nospam-abuse(a)bloodgate.com>
wrote in
message news:200701231852.29592@bloodgate.com...
What function you actually use for H(), may it be
MD5 or SHA1, is
practically irrelevant here, tho, but when you migrate to such a scheme,
you might as well use SHA256 instead of MD5 (even if it is just to quiten
all the "MD5 is insecure" cryers :)
In security, doing things because "you might as well" is an incredibly bad
idea! A security system should only be changed to be a _better_ security
system (and even then after it has been proven to be better). _Never_
because it's 'probably not worse'!
- Mark Clements (HappyDog)
Hoi,
This discussion /is /about changing the security. Changing it because
the need is felt for the current system to be improved. So when you have
the option between several choices where one is theoretically
substantially better, it is worth the consideration. As many people have
mentioned it pays to use well tested, well known algorithms. As many
people have mentioned, it pays to double check that the implementation
is done perfectly. Public perception about security is important. When
people think that something is not secure, they are a step closer to
proving that something is not secure.
Thanks,
GerardM