Except that we're not simply hashing a password.... we're hashing a password, that is nonced with the salt string...
your 40 seconds also suggests pure alphanumeric passwords, all lowercase and 6 characters long, which is an incredibly weak password. So yeah, assuming could generate every password of that length in 40 seconds, and generate the hash for each of those passwords, its not going to do you much good unless you jam each of those passwords into the form (and at that point, no matter *how* you are storing the password will protect you). If you have compromised the user table and have all of the hashed passwords, your list of matches will not help because the stored passwords are nonced, making your lookup completely worthless. cake's means of dealing with passwords is plenty secure... On Tue, Sep 13, 2011 at 11:21 AM, Chris Cinelli < [email protected]> wrote: > Read the link I posted. 40 secs to bruteforce crack an hash > On Sep 12, 2011 5:17 PM, "Ryan Schmidt" <[email protected]> > wrote: > > > > On Sep 12, 2011, at 18:01, Chris Cinelli wrote: > > > >> Nowadays, normal hash functions like SHA1 are good for sessions and > caching but not for storing passwords. Doing that is pretty much equivalent > to having passwords in clear on the DB. > > > > Do you have documentation for this claim? > > > > > > -- > > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > > > > To unsubscribe from this group, send email to > > [email protected] For more options, visit this group > at http://groups.google.com/group/cake-php > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > [email protected] For more options, visit this group > at http://groups.google.com/group/cake-php > -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
