On Wednesday, February 13, 2013 at 3:09 PM, Antoine Pitrou wrote: > Donald Stufft <donald.stufft <at> gmail.com (http://gmail.com)> writes: > > > > The midterm "at once" is still possible, it just bcrypt's the existing sha1 > > passwords. > > This is better then unsalted sha1's but it's *worse* than just plain > > bcrypt. > > > > > Why is it worse? SHA1 isn't terribly broken AFAIK. Because you lower the available entropy, "birthday paradox". > > > So yes for that week if the DB gets stolen we will be vulnerable > > to those passwords being bruteforced, but with an upcoming forced reset > > that > > risk is > > pretty minimal and the risk of my custom bcrypt+sha1 code breaking in an > > edge > > case > > is higher. > > > > > Yeah, well, that's because you are forcing a full reset. I wouldn't call that > a "migration" since you are forcing users to re-enter new data. > > Regards > > Antoine. > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org (mailto:Catalog-SIG@python.org) > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
