Since the signature is based on the full URL (step 8) it is salted and the minimum length of the secret is always a machine generated unique 15 character string (32 in the latest version of Meridix), MD5 can be used as the default hash algorithm. Example:
Using a hash breaking setup that could generate 3 000 000 000 000 MD5 hashes per seconds it would take 2401906 years 29 days 19 hours 12 minutes and 4 seconds
(2.2739031742704e+23 password combinations) to try all possible secret combinations for 15 lower alpha numeric characters.
Using a hash breaking setup that could generate 3 000 000 000 000 MD5 hashes per seconds it would take 6.881744347665362e+29 years 67 days 8 hours 0 minutes and 44 seconds
(6.515000913905823e+49 password combinations) to try all possible secret combinations for 32 lower alpha numeric characters.
Source: http://calc.opensecurityresearch.com/
Note that user defined passwords etc. are not stored as MD5 hashes. The signing can also be made with the SHA256 or SHA512 algorithms and will in those cases automatically be handled , also by the server. The minimum allowed strength hash algoritm (MD5->SHA256→SHA512) can be set on a Meridix installation which would force all API clients to use that hash algorithm or a stronger one. |