On 21/07/2017 08:00, Alex via Firebird-devel wrote: >>> >> Mark, this is interesting. I know bcrypt is very used by nodejs/expess >> people and I even used it myself. >> >> But what is more interesting, isn't Firebird still using these "not >> suitable for passwords" hashes in recent versions? >> >> AFAIK it uses SHA1 with per user SALT. >> > > Yes, but SHA1 weakness becomes important only when password becomes as > long as hash, i.e. 20 bytes for sha1. Without enforcing users to have > long passwords replacing hash makes no sense.
I think the point is, if a cracker has a security database, it can run billions of SHA1 hashes per second using the same salt in a brute force attack, because SHA1 is a fast (suitable to hash large files) algorithm. With bcrypt, with is purposely slow, the cracker can't do a brute force attack so easily. Adriano ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel