- old school security

No, quite the opposite. The hashcode algorithm should be as public as possible so any weakness can be found. What keeps a hashcode secure is the amount of time it takes to find collisions. The hashes themselves, yes, keep those secret. I have a string that has an MD5 hash of d373a246bddeed37feec0c1c7c7b92ca. Find a string (this one or any other) that has that hash. The algorithm for MD5 is well known, and it is no longer considered to be cryptographic strength. It can't take significantly more than 2^128 trials to find a match. At a nanosecond per trial, that's only 10802614822886935348043 years to complete the job. Certain weeknesses make it less secure than (since there are ways of generating identical strings with identical MD5s if you start with a known MD5 collision) you would really like for passwords. But feel free to try coming up with a match for that one. Now try to find the one that also has an sha1 hash of d79b75daa96671379b52210e1e3bf341c061f1cf Eric