On Dec 22, 2010, at 23:39 , Richard Hipp wrote: > SHA1 is already available in the source tree whereas scrypt/bcrypt introduce > unwanted and undesirable dependencies. Also, if the repository is > compromised, such that the adversary is able to mount a dictionary attack > against the passwords, what makes you think scrypt/bcrypt is going to be any > stronger than SHA1?
The very idea of bcrypt is to be somewhat stronger in this situation than SHA-whatever. Or any "message digest" algorithm. It achieves this aim by being awfully slow. So slow, that mounting a brute force on it would be forbiddingly expensive. Kind regards, Remigiusz Modrzejewski _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users