MDA5 sure (http://en.wikipedia.org/wiki/MD5), but I thought SHA1 is still pretty good for most non-DoD purposes -- are you sure you're not just thinking of the original SHA-0?
Quote from: http://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation
The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function.
I still think it's nice to know about an easy-to-find JS version (esp. as part of a larger library of JS functions that might not be standard part of the language nor of jQuery)
http://phpjs.org/functions/sha1:512
I've used SHA-1 to generate random numbers and the like but I wouldn't actually use it for cryptography...
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
No, the cryptographers have been recommending using SHA256 since I was at Upside (nine years ago!). SHA256 and SHA512 (what they're now recommending) are both part of the SHA-2 specification. I remember reading the NSA is working on an SHA-3 specification that's supposed to increase the complexity by many times, to counteract the faster computing power since SHA-2 came out (2001? 2002?).
Well it's weird that the Wikipedia opening paragraph for MD5 makes it really clear that it's broken, and suggests/linksto the SHA-1 article. But on the SHA-1 article it talks about how it is a solution to the problems of SHA-0.
I get the impression that SHA-1 is still fine for something quick and not super-critical like hashing a user's password+salt into your database (rather than MD5)... but it's not like I've spent a bunch of time comparing modern hash algorithms (http://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_hash_algorithms) ;) Even Google has offered its own improvement on what others have been working on: http://google-opensource.blogspot.ca/search/label/cityhash but overall I wonder if most developers just end up using SHA-1 since it's easy to find an implementation and runs not very slow and is way better than MD5?
Quote from: Mr. Analog on September 11, 2012, 08:38:50 AM
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
"It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC
where collisions aren't important"
Hmmm... So w/e, thanks for the links guys, interesting to know -- but I don't want this thread to become an encryption discussion :-X
Quote from: Darren Dirt on September 11, 2012, 08:41:43 AM
Hmmm... So w/e, thanks for the links guys, interesting to know -- but I don't want this thread to become an encryption discussion :-X
aww but! This is the kind of technical nerdity we can all really sink our teeth into! But yeah, it'd definitely be off-topic.
Quote from: Thorin on September 11, 2012, 08:51:18 AM
Quote from: Darren Dirt on September 11, 2012, 08:41:43 AM
Hmmm... So w/e, thanks for the links guys, interesting to know -- but I don't want this thread to become an encryption discussion :-X
aww but! This is the kind of technical nerdity we can all really sink our teeth into! But yeah, it'd definitely be off-topic.
"While SHA-1 has not been compromised in real-world conditions, SHA-256 is not much more complex to code, and has not yet been compromised in any way." http://www.movable-type.co.uk/scripts/sha256.html
okay there, /discussion.
Basically SHA1 has replaced md5 as the CHEAPEST hash for utility tasks, mostly because it is reliably implemented in so many libraries and is readily available.
However that doesn't dismiss the fact that for high security it is weak and should not be used for critical security uses.
-moved-
C'mon, LinkedIn password hack back in June, obviously a bit more than one point of failure but still a case where SHA-1 was broken to gain info IRL.
http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html
Split topic for obvious reasons.
Where's the hook? COZ WE OFF IT BOY
Quote from: Mr. Analog on September 11, 2012, 09:17:27 AM
C'mon, LinkedIn password hack back in June, obviously a bit more than one point of failure but still a case where SHA-1 was broken to gain info IRL.
http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html
Rainbow tables can be made for any hash, it didn't have anything to do with the sha1 being broken... broken indicates you could simply generate a collision to access the system knowing the hash.
linkedin was all about the weak common passwords lacking salt.
Jebus, I ended up on a page describing latent fingerprint examination thanks to this thread.
Quote from: Thorin on September 11, 2012, 10:10:55 AM
Jebus, I ended up on a page describing latent fingerprint examination thanks to this thread.
speaking of which: Dark Knight Rises -- Great Movie, or Greatest Movie?
Quote from: Darren Dirt on September 11, 2012, 12:02:35 PM
Quote from: Thorin on September 11, 2012, 10:10:55 AM
Jebus, I ended up on a page describing latent fingerprint examination thanks to this thread.
speaking of which: Dark Knight Rises -- Great Movie, or Greatest Movie?
It's the worst period drama I've ever seen.
Oh good, we split this from the original thread to keep it and this on topic.
Quote from: Thorin on September 11, 2012, 01:27:49 PM
Oh good, we split this from the original thread to keep it and this on topic.
Well orphaned thread, orphaned Bruace Wayne
(this is the Batmaaaaaaaan of threads)
Back where my post got cut of, the point was that linkedin was a due to lack of salt and weak passwords, not a flaw in sha1, there just happen to be handy sha1 tables.
However GPU acceleration, SSD drives and well purchasing cloud power make it trivial to generate large rainbow tables for almost any hash as long as they are not salted, or even better uniquely salted as then each password needs its own table assuming you know the salt..
You still can't easily generate a collision for sha1 although it is possible in theory.
Quote from: Thorin on September 11, 2012, 01:27:49 PM
Oh good, we split this from the original thread to keep it and this on topic.
Oh good, you saw what I did there. ;)
Got it out of my system now. Worry not.
Back on topic... Yeah, salt ftw, fo sho.
Quote from: Darren Dirt on September 11, 2012, 04:59:10 PM
Quote from: Thorin on September 11, 2012, 01:27:49 PM
Oh good, we split this from the original thread to keep it and this on topic.
Oh good, you saw what I did there. ;)
Got it out of my system now. Worry not.
Back on topic... Yeah, salt ftw, fo sho.
Truly one of Angelina Jolie's best roles.
...who was also in HACKERS zomg this is getting freaky bro...
Quote from: Darren Dirt on September 11, 2012, 08:23:42 PM
...who was also in HACKERS zomg this is getting freaky bro...
See what I did there
Now rearrange all the letters in this thread for a secret message! :)
Quote from: Mr. Analog on September 11, 2012, 09:12:43 PM
Quote from: Darren Dirt on September 11, 2012, 08:23:42 PM
...who was also in HACKERS zomg this is getting freaky bro...
See what I did there
Now rearrange all the letters in this thread for a secret message! :)
"The quick brown fox jumps over the lazy dog"
What does it mean :o
Quote from: Tom on September 11, 2012, 10:49:34 PM
Quote from: Mr. Analog on September 11, 2012, 09:12:43 PM
Quote from: Darren Dirt on September 11, 2012, 08:23:42 PM
...who was also in HACKERS zomg this is getting freaky bro...
See what I did there
Now rearrange all the letters in this thread for a secret message! :)
"The quick brown fox jumps over the lazy dog"
What does it mean :o
"BUY MORE OVALTINE"
Oh maaaaan!
(http://images.fineartamerica.com/images-medium/out-of-hand-shop-sign-mark-sellers.jpg)
this thread.
I'm glad I split it more than ever now hahaha