On 7/27/2015 8:35 AM, Alex Peshkoff wrote: > On 07/26/2015 10:36 PM, Jim Starkey wrote: > >> The bottom line is this: If you are going to change the password hash, >> you are going to invalidate all existing passwords. But rather than >> start over with an already flawed architecture, punt on storing >> passwords at all and go exclusively with SRP. > When I've said that SHA1 hashes are stored in security database, I've > meant exactly SRP verifiers. SHA1 is used for calculation of SRP > verifier, and this is the only result of SHA1 stored in the database.
That is as it should be. But as I said before, SHA-1 in SRP is used only to turn a known Bignum (which has many poor characteristics for an encryption key) into a 20 byte vector usable as a robust encryption key. > > BTW, except invalidation of all existing passwords this step also > invalidates all old clients, including Java and C# clients, not using > fbclient library. And it's hard to say what is worse. > And for nothing to be gained... By the way, for those souls deeply concerned about accidental SHA-1 password collisions, the probability is 1 in 2^159 as the weaknesses of SHA-1 don't affect this problem. And despite the academic "weakness" of SHA-1, according to Wikipedia, nobody to date has found a SHA-1 collision, accidentally or intentionally. Question: Does Firebird detect, report, and shutdown repetitive attacks on passwords? ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel