On 21.07.2017 13:38, Adriano dos Santos Fernandes wrote:
On 19/07/2017 15:51, Mark Rotteveel wrote:
In most cases original string (password) is not even stored and hashes
are used to check if a password matches a previously one.
The proposed hashes are **not** suitable for passwords; you shouldn't
use a pure cryptographic hash for passwords as they are optimized for
speed. For passwords you need to use an algorithm with a work
factor/iteration count (eg pbkdf2, bcrypt) that slows it down.
Mark, this is interesting. I know bcrypt is very used by nodejs/expess
people and I even used it myself.
But what is more interesting, isn't Firebird still using these "not
suitable for passwords" hashes in recent versions?
AFAIK it uses SHA1 with per user SALT.
Yes, but SHA1 weakness becomes important only when password becomes as
long as hash, i.e. 20 bytes for sha1. Without enforcing users to have
long passwords replacing hash makes no sense.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
