Re: Crack in Computer Security Code Raises Red Flag

From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 03/16/05


Date: 15 Mar 2005 17:58:20 -0800

IPGrunt <me@privacy.net> writes:
> More interesting to me would be to learn, what if anything, are
> people are doing about this? I recently changed the code of a web-app
> in development to use SHA256 for password hashing (instead of SHA1)
> and I'm considering retrofiting a couple of apps that are in use.
>
> How about you?

I think it's not worth retrofitting old applications, especially for
things like passwords, which are relatively low security to begin
with. And for the long term, some of us are concerned that even the
SHA2 hashes (SHA256/384/512) aren't secure enough, because of how
their design works. So we working cryppies continue to use SHA1 for
the time being while waiting for standards bodies, CA organizations,
and so forth, to reach consensus about the SHA1 situation and deploy a
replacement.