

Redux: Are you sure SHA-1+salt is enough for passwords? - Sami_Lehtinen
http://www.f-secure.com/weblog/archives/00002379.html

======
Sami_Lehtinen
"And this is the assumption any security design should be based on; an
attacker has access to everything that is on the server. "

1\. So passwords aren't meaningful at that point anymore anyway. Who cares
about passwords, if attackers already got full administrative/root access?

2\. They also can modify authentication code so that it stores plaintext
passwords when who ever logs in. - But as saod this is absolutely pointless
due first point.

