3 upvotes, 1 direct replies (showing 1)
View submission: Reddit's Streak of Bad Luck Continues...
I don't really see what encryption gains you over hashing. [...] Encryption, though it does have all sorts of obvious benefits over cleartext,
As far as passwords go, you can brute-force hashing as well -- you just compare the hashes. In fact, as it's not 1-to-1, you don't always have to guess the correct plaintext in order to get the same hash. Plus you still need some method for forgotten passwords.
Comment by duketime at 14/12/2006 at 21:32 UTC
4 upvotes, 1 direct replies
You're right on both accounts: hashing can be brute forced or you can find a collision (and MD5 has been cracked). But the key difference is that if you use a good algorithm / hash length it's practically infeasible: there really isn't a reasonable short cut to crack it.
With 1-to-1 encryption (with a decryption algorithm) there is a method to get the cleartext in constant time (i.e. there is a short cut) and this is the key.
It's more desirable (in general) to live with the certainty that it will take a very very long time to crack / collide your hash than it is to live with the (off) chance that a leaked algorithm / key will **instantly** allow access (plus risk of the exact same brute force).