[openstack-dev] Keystone Hashing MD5 to SHA256
Jeremy Stanley
fungi at yuggoth.org
Mon Jan 6 18:10:15 UTC 2014
On 2014-01-06 10:19:39 -0500 (-0500), Adam Young wrote:
> If it were as easy as just replaceing hteh hash algorithm, we
> would have done it a year + ago. I'm guessing you figured that by
> now.
[...]
With the lack of In-Reply-To header and not finding any previous
messages to the list in the past few months with a similar subject
line, I'm lacking some context (so forgive me if I'm off the mark).
If the goal is to thwart offline brute-forcing of the hashed data,
shouldn't we be talking about switching away from a plain hash to a
key derivation function anyway (PBKDF2, bcrypt, scrypt, et cetera)?
MD5 is still resistant to preimage and second preimage attacks as
far as I've seen, and SHA256 doesn't take too many orders of
magnitude more operations to calculate than MD5.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list