Hashing of usernames in syslog
Forrest J. Cavalier III
mibsoft at epix.net
Mon Sep 30 13:25:39 UTC 2002
> Your advice is fine. It just seems superstitious.
Perhaps you are confusing "superstitious" and "cautious."
Superstition: A belief or practice, resulting from ignorance, fear of
the unknown, trust in magic or chance, or a false conception of
causation. (Webster's Ninth New Collegiate Dictionary)
So I wouldn't say I was superstitious, instead "cautious" about security
algorithms, where it is easy for non-experts like me to make
assumptions which are not true.
> I want to see papers
> which point out vulnerabilities in MD5.
Seems like you didn't even try to look. The google.com search terms
you want are
md5 Hans Dobbertin
You could have arrived at that yourself by searching
md5 broken
(You seem to know more about encryption and security than
I do, so I'd be interested in knowing what you thought
of the paper.)
> I also want to see proof that an
> input to MD5 with symmetry doesn't make things worse.
>
That is a good point. I have no proof. The avoidance of
("secret" "phrase") and ("phrase" "secret") is my own non-expert
conclusion from reading Dobbertin. Use two secrets then.
Or better yet, find an expert for advice.
Thanks for the comments!
Forrest
More information about the inn-workers
mailing list