Wow this article is kinda shit. MD5 was on the chopping block for password hashing over 20 years ago. It’s so seriously broken that if someone is using it they deserve to get bludgeoned to death with a Model M keyboard. We have purpose built solutions just for password hashing.
The only thing the fine bad article sorta got right was two factor. I say kinda because biometrics (something you are) isn’t that great of a second factor. Mainly because you can’t change it. Also, it’s a fuzzy match rather than a hard match. It can be acceptable to use locally and where all the information stays locally AND there is sufficient hardware based security where said biometrics isn’t going to get off the device.
Finally, there was no mention of any kind of physical token based factor (something you have). Which pairs well with password, passphrase, or any other “something you know” factor.
Wow this article is kinda shit. MD5 was on the chopping block for password hashing over 20 years ago. It’s so seriously broken that if someone is using it they deserve to get bludgeoned to death with a Model M keyboard. We have purpose built solutions just for password hashing.
The only thing the
finebad article sorta got right was two factor. I say kinda because biometrics (something you are) isn’t that great of a second factor. Mainly because you can’t change it. Also, it’s a fuzzy match rather than a hard match. It can be acceptable to use locally and where all the information stays locally AND there is sufficient hardware based security where said biometrics isn’t going to get off the device.Finally, there was no mention of any kind of physical token based factor (something you have). Which pairs well with password, passphrase, or any other “something you know” factor.
I still used MD5 hashing in the apps I work on.
Just not for passwords.