| Sure. I'll be happy to elaborate. Undoubtedly you know that a hash is a one-way function (i.e. no inverse is known to exist). This makes finding people's passwords out pretty much impossible. So, how to hack it? Well, hash functions do have the ability to have 2 different inputs return the same value (don't ask me for an example, lol.) A hash is considered compromised if someone develops a way to "relatively" quickly find an input which comes up with the same output as for your actual password. This new input can be used for your password without ever having to know the original password. The post on php.net I linked to indicates that sha1 (which is newer than md5) has been compromised in such a fashion (md5 was a few years back if memory serves). To ensure that such an attack does not work on your system (essentially leaving it only open dictionary and social engineering attacks), you'll want to use one of the latest hashing functions that have not yet had such a method developed. |