August 17, 2004, 1:07:07 am
You may have heard by now that SHA-0 has been "broken" and that MD5 is rumored to also be "broken". What does this actually mean:
There are two main concepts behind a modern hash like SHA-0, SHA-1 and MD5 which are:
In the case of SHA-0 being "broken", it is point 2 that is now flawed. They have found two inputs that produce the same output. They did it using a generalised mathematic principle - which means given one hash, they can generate a new piece of content that will produce the same hash - given 80,000 CPU cycles
Effectively, if you have a username+password combination stores as an SHA-0 hash in your database and you use it to authenticate whether somebody is logging in validly and somehow a hacker gets access to the hashes you have stored - they will be able to generate (after lots of CPU work) a new username+password combination (not the original) that will produce the same hash and let them log in to your system.
Please note the if's.
By Steve Wart on August 18, 2004, 3:27:00 pm