On Tue, 2006-28-11 at 10:08 +0100, David Faure wrote:
On Tue Nov 28 2006, Patrick Durusau wrote:
Shouldn't encryption of the password be considered as application specific?
This would simply kill interoperability. Why don't we standardize the hash
function instead?
Or provide a short list of acceptable hash functions. For example: SHA1,
SHA256 and SHA512.
I'm a tad hesitant about SHA1 because it's been "broken", but only for
finding collisions:
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
So, you shouldn't use SHA1 for digital signatures, but AFAICT it's still
perfectly good for encryption and password purposes where you are not
looking for collisions but a pre-image.
The reason I suggest a list is that not everyone might want to use
SHA512 for their passwords, as it's over-kill, but we shouldn't disallow
people who do want to use SHA512.
Cheers,
Daniel.
22 messages in org.oasis-open.lists.officeRe: [office] Passwords
.pgp