[thelist] authorize.net says md5 algorithm error prone

Matt Warden mwarden at gmail.com
Sat Jun 4 18:44:42 CDT 2005


On 6/4/05, Erik Heerlein <erik at erikheerlein.com> wrote:
> Is the MD5hash worth using? Is it error prone or is authorize.net's
> implementation of it that is error prone?

Can you describe exactly what is being hashed by md5?

MD5 isn't error prone, AFAIK. What is "error prone" is how some people
use it, as if it were an encryption method. People, for instance, use
md5 to 'encrypt' passwords that they then store in cookies. This
really is no more safe than storing the plain text password in the
cookie, as md5'ing it will only keep an honest man honest.

One thing (although I could not confirm this with google): I believe
the algorithm is not one-to-one. In other words, a given string will
hash the same way every time, but a given hash could be the result of
md5'ing more than one string. i.e., a collision.

However, neither of these explains why authorize.net would send you an
md5 hash that was incorrect. I suspect you were talking to a tech
support dude(tte) who didn't quite know what he/she was talking about.

Matt Warden
Miami University
Oxford, OH, USA

This email proudly and graciously contributes to entropy.

More information about the thelist mailing list