

Are you sure SHA-1+salt is enough for passwords? - FSecurePal
http://www.f-secure.com/weblog/archives/00002095.html

======
yuhong
Yea, tptacek has warned about it for a while now, particularly after the
rainbow table fiasco started by Jeff Atwood.

------
peterwwillis
Do we really care if our users' password "password1" is cracked? If we're not
going to enforce complex passwords then trying to fight brute force cracks is
pointless. They can just check the 1000 most commonly used passwords and net a
tenth of the accounts. On the other hand, enforcing a strong password would
make it virtually impossible no matter what the algorithm.

