http://news.zdnet.co.uk/internet/security/0,39020375,39163876,00.htm

The above article (from cnet actually) talks about recently discoved flaws in the MD5 hash and in SHA-1 algorithm that could theoritically make them susceptible to hackers with an array of PC's.

I guess nothing can last forever, but (to keep it vb related), do you think that vb's double hash + salt password routine will put the block on such attempts as this?

Everything can be hacked so... vbulletin will not put a block on this :) LOL

I think it will be very hard to not only break it, but brute it, since it also uses a unique salt for each password hash. And It is something like md5(in md5).salt <-- all in an md5. I dunno, very confusing, complex and harder to abuse.

I dont think this is as big of a problem as some people hype it up to be.
If memory serves me right, a md5 sum hash string is 32 characters long, being that limited in lenght its almost guaranteed that there will be collisions.
Taking advantage of that collision tho, is a completely different matter.
Example taken (roughly) from a slashdot comment:
Say you have a document with the string $1595 in it, and you want to increase that number to say $3995. But the string that gives the same md5 sum can be utter nonsense like $"&95, wich ofcourse, in the right contex would rise (or atleast should) some alarms.

All in all, i dont see this as a problem for the everyday regular user, but high end users (law enforcement taking disk images and whatnot) might see this as a problem, and should use different verification methods.

ill also throw in a disclaimer, i got no clue about encryption what so ever :)

I think XSS is a bigger worry then md5 :)

I have the same opinion as ja3 !

Everything can be hacked :(

md5 too

Any one-way encryption can be bruteforced. It's just the more complex algo the harder it is to bruteforce (you need more processing power). Single MD5 hashes made from strings with less than 8 characters can actually be reversed without bruteforcing, but as all real security uses more than 8 chars, rehashing, salting, or all three at the same time, this is not at all a threat. It has made the tripcode system (password gets hashed into a unique "tripcode" that people associate with a certain poster, an anonymous alternative to member registration) on japanese BBSes hackable, if you have a password shorter than 8 characters. The web coders on iichan (http://iichan.net) are thinking of a solution to this problem, to make impersonation at least more difficult.

I use my SSL cert for logging into my ACP. It's just one more step in making your site more secure. MD5 has always been crackable.

I've been looking to SSL, but I am so smalltime noone with brains would want to waste time on cracking md5 on my site :p

I think XSS is a bigger worry then md5 :)
Agreed. MD5 is something that while it has a set character length, sooner or later, its possible to crack, the question is time, power, and knowledge, however, XSS can cause tons more problems to a user down the line if their identity is stolen.

I think XSS is a bigger worry then md5 :)
worse, sql injections.

worse, sql injections.
I have installed phpSuExec on my server and it makes Apache immune to injections.

I have installed phpSuExec on my server and it makes Apache immune to injections.
Nothing is ever immune, there is always someone smarter than the programmer.

Nothing is ever immune, there is always someone smarter than the programmer. and the funny thing is that the 'smarter person' is usualy a idiot user ;)