On 19/07/2017 15:51, Mark Rotteveel wrote: > >> >> In most cases original string (password) is not even stored and hashes >> are used to check if a password matches a previously one. > > The proposed hashes are **not** suitable for passwords; you shouldn't > use a pure cryptographic hash for passwords as they are optimized for > speed. For passwords you need to use an algorithm with a work > factor/iteration count (eg pbkdf2, bcrypt) that slows it down. > Mark, this is interesting. I know bcrypt is very used by nodejs/expess people and I even used it myself.
But what is more interesting, isn't Firebird still using these "not suitable for passwords" hashes in recent versions? AFAIK it uses SHA1 with per user SALT. This page describes it as insecure: http://dustwell.com/how-to-handle-passwords-bcrypt.html Adriano ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel