On Thu, Dec 23, 2010 at 12:12:05AM +0100, Laurens Van Houtven wrote: > On Thu, Dec 23, 2010 at 12:01 AM, Joerg Sonnenberger > <jo...@britannica.bec.de> wrote: > > On Wed, Dec 22, 2010 at 11:06:47PM +0100, Laurens Van Houtven wrote: > >> I was looking at > >> http://www.fossil-scm.org/index.html/doc/trunk/www/password.wiki and > >> worried about the case of a compromised repository. Why does Fossil > >> use SHA1 and not scrypt/bcrypt to store passwords? > > > > Positive: the passwords (if encrypted) are salted based on the project code > > and login name. So at least two users with the same password have > > differen't encrypted passwords. > > If I understand correctly, the nonce (the project code part and the > user name part) is known up front, so you wouldn't have to wait for a > compromised repository. You'd need numusers*dictsize worth of space > which, may be pretty large (perhaps too large to be feasible), but > still nowhere near (2**nonce_bits)*dict_size which is the number that > backs the claim that nonces make (up-front) dictionary attacks > infeasible.
The project-code is supposedly unique and not shared between repositories. E.g. it changes on clone. I'm not sure if it can be obtained without admin access. My point was primarily that a dictionary attack still has to build a dictionary for every user, which is an improvement over stupid MD5/SHA1 schemes seen often enough. Joerg _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users