Chris, if you are saying that a system that has a repo / db of sha1 passwords is vulnerable * ONLY * based on the fact that someone has access to the app server (to acquire the salt), then your bcrypt doesn't help in many siutations either.
If somebody had access to your server, what is stopping them from altering the login script / pages and just grabbing raw passwords that are submitted from people, before they even get passed on to the hashing and subsequent intended authentication procedure? I know that this requires an undetected crack on the app rather than a drive by grab all user details at once, but even so, if you are going to use general server insecurity as a comment of the suitability of part of a system (hash algorithm), the same has got to be applied back to your argument. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
