At Mon, 13 Feb 2012 15:25:36 +0100, Matt wrote: > Is there already been thought by updating the sha1 to sha256 or something ? > > SHA1 is kinda old in my opinion and security on passwords is all!
MD/SHA are not designed for storing passwords and are actually pretty bad at it. The purpose of those functions is to generate a unique digest of large data in a fast way. But you don't want fast for your passwords, because how faster the algorithm how faster you can brute force the password. Algorithms like bcrypt are actually designed for storing passwords. It's a few orders of magnitude slower (you can actually specify how slow you want it to be), which makes brute forcing pretty much impossible even for not so random passwords. It goes a bit too far to explain all the details here, but if you google for it or look at wikipedia you should find enough information about it. Kind regards, Jeroen Dekkers -- [email protected] https://inverse.ca/sogo/lists
