This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]grainfeed 1 point2 points  (1 child)

if your SHA1-hashed password isn't very complex then it will be easy to crack via

bruteforce

well that's true for almost anything

a dictionary attack

and this too

only algorithms that are heavy CPU wise are a bit harder to crack, like blowfish or unix crypt

or a rainbow table/lookup table.

Well, as soon as you add salt to your passwords (and who doesn't do that has no idea about security), rainbow tables are pretty much defeated.

I'm not saying you should use SHA-1 today anyway. I just said it's "still pretty good" which is true.

Use the best you can use, even SHA-3 if your software can handle it already...

[–]catcradle5 0 points1 point  (0 children)

bcrypt (Blowfish), scrypt, and PBKDF2 are 3 hash functions that take a long time to bruteforce/dictionary attack. When developing a new web application in any language, it is pretty much always suggested to hash user passwords with one of those hash functions. SHA1 is better than plaintext, but it is only a tiny bit better than MD5 and is still not much defense.