top | item 6637679

(no title)

With sane defaults, bcrypted passwords are "worthless" in the hands of a casual attacker.

Somebody would have to REALLY want to access your account and have SIGNIFICANT financial/computational resources to crack it. And that only gives them one password. Significant and independent work is required for each individual password.

On the other hand, there's nothing stopping a developer from doing something really dumb like setting bcrypt iterations to 1.

discuss

s_kilk|12 years ago

>> On the other hand, there's nothing stopping a developer from doing something really dumb like setting bcrypt iterations to 1.

I _really_ hope that doesn't turn out to be the case here.