Re: SHA-1 vs. triple-DES for password encryption?

From: Craig Minton (
Date: 11/12/02

Date: Tue, 12 Nov 2002 05:56:44 -0800 (PST)
From: Craig Minton <>

First of all, thank you all for the time and effort that went into everyone's responses. This discussion has given us much to think over.

My understanding of the replies in general are:

1. Either SHA-1 or 3DES would be sufficient for securing passwords. (MD5 is not an available option)
2. 3DES may be used to create a one-way function by using the password to encrypt some standard data.
3. Salting the password with a username and/or some random data would increase the security.
4. If storage is unable to be increased beyond eight bytes, either using 3DES to encrypt a standard eight bytes using the password or using SHA-1 and truncating to eight bytes would be acceptable.

If I have misunderstood any of this, please feel free to correct me.

On a side note ( I have asked someone this before, and if I missed the reply, I apologize), the FAQ for this list states :

"0.1.3 What is inappropriate content?
   Product advertisements.
   Basic "how to" questions, which are already in the lists programming guide.
   Exploits, or discussion of methods to exploit vulnerabilities in detail."

Will someone here please point me to the "lists programming guide" mentioned?

Again, thank you very much and I look forward to reading any continued disussion.


Fight the power!

Select your own custom email address for FREE! Get w/No Ads, 6MB, POP & more!