If I will store an array of information (account - e.g. fullname, address, userid, password) in a various servers and I would want to encrypt the password using md5, (question is), everytime I'll add the account into LDAP servers (since, that's what we're using), then does that mean that everytime i save password, i'll have to use 'crypt' function? does that make a difference if I save it in one variable after one time encryption and use it for all servers?
A:
An md5 encrypted password usually includes a (random) salt, to make it more difficult to perform dictionary attacks. If you encrypt the same password twice, you get two different outputs.
If you copy the md5 encryption result, the password will "work", but you indicate to an attacker that the same password is in use on different users/servers (assuming an attacker can get access to the md5). Since the attacker may have guessed that, anyway, this risk is not high - dictionary attacks still won't be possible, since the password is still salted.
Martin v. Löwis
2009-08-06 07:52:27
thanks! ;)
Suezy
2009-08-06 08:09:59