On Tue, 2006-28-11 at 10:08 +0100, David Faure wrote:
On Tue Nov 28 2006, Patrick Durusau wrote:
Shouldn't encryption of the password be considered as application specific?
This would simply kill interoperability. Why don't we standardize the hashfunction instead?
Or provide a short list of acceptable hash functions. For example: SHA1,
SHA256 and SHA512.
I'm a tad hesitant about SHA1 because it's been "broken", but only for
So, you shouldn't use SHA1 for digital signatures, but AFAICT it's still
perfectly good for encryption and password purposes where you are not
looking for collisions but a pre-image.
The reason I suggest a list is that not everyone might want to use
SHA512 for their passwords, as it's over-kill, but we shouldn't disallow
people who do want to use SHA512.
"I AM in shape. Round IS a shape."