
Formspring Breach – Let the Password Cracking Commence - grecs
http://www.novainfosecportal.com/2012/07/11/formspring-breach-let-the-password-cracking-commence/
======
iloveponies
From the official Formspring post regarding this:

> The post did not contain usernames or any other identifying information.

> ... upgraded our hashing mechanisms from sha-256 with random salts to bcrypt
> ...

So not only are the hashes calculated with SHA256 (which is more
computationally more expensive than SHA1) - but it also appears there is
nothing to tie a username to a password. It's also not clear if the salts were
revealed either thus making the "cracking" not only difficult, but for what
could be seen as little gain as compared to the leaks of last.fm and LinkedIn.

