Re: encrypt password by md5 twice?

[Gavin Henry <ghenry@suretecsystems.com>]

Zhang Weiwu wrote:
> Dear everyone
>
> I am planing to migrate an Intranet info system to authenticate with
> OpenLDAP, so more of our business can be done with the same login. The
> old system uses their own SQL table to store user information, no
> problem, I can write a script to convert to LDIF format. But md5 was
> used to encrypt user password, and the developer of that system knows
> md5 is cracked, so he encrypted the md5 hash with md5 method again.
>
> clear text password --> md5 hash --> md5 hash of the md5 hash
>
> My question:
>
>    1. Have you ever heard this solution to avoid md5 crack? Now as I
>       cannot reach the original system author, I wonder how this idea
>       come to be (e.g. why not using SHA).

not heard of it.

>    2. Does it work? (is md5 hashed md5 hash much safer with no side-effect?)

Sounds like it would take twice as long.

>    3. Now, how we can migrate this system to use openldap. AFAIK
>       openldap have no direct support for such hash. There are a lot of
>       users of the system and there will be problems if migration is
>       done and everyone's password is reset..

You'd have to get everyone to type in their md5 hash ;-)

You've no choice but to reset all passwords. Seems like the best time to 
do it under the "migration" umbrella.

Gavin.

--
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/