David B (5/24/2009)
and apparently is considered insecure (MSDN Link) along with the other MD hashes. SHA is apparently the way to go instead.Of course I don't really play in that space so can't comment as to the validity of those assertions. Any security experts care to comment?
I'm not a security expert but I am enough of a nerd to have enjoyed studying cryptography.
There are a couple of SHA versions out there, and the NSA has a contest on to decide on the next generation of SHA (NIST).
The MD family isn't really secure anymore and neither is SHA-1, but they range on a sliding scale of "script kiddies love it" to "just don't store national secrets".
Since secure from a cryptographer's viewpoint involves an attacker with the full resources of a large multi-national corporation or major national government I've never lost sleep over using MD5 or SHA-1 in my less that top secret applications.
Of course no hash algorithm in the world will protect from the user whose password is password.
-DW