But toUTCString() doesn't return a string with any '/' characters, at least in FF3, so it's really just:
SHA1(new Date().toUTCString())
And toUTCString() trims milliseconds, so really it's just ths SHA1 of the current time, to the second. Not very strong no matter how 'long' the output.
so, if you knew someone used that site to generate their password, look at the date the account was created, SHA1 all the times on that date, and dictionary attack it? Just my first guess, I'm not a master programmer or anything.
Yes. And there are even ways to tell where someone has visited -- so you might try this only against people who have visited that site/blog. Or the author of the blog's accounts elsewhere.
It's not much worse than the other ways people pick low-security passwords, but it doesn't justify its length, or meet its goal of: "Passwords should be secure. One way to acheive this is by making them very long."
The password-generating code is:
But toUTCString() doesn't return a string with any '/' characters, at least in FF3, so it's really just: And toUTCString() trims milliseconds, so really it's just ths SHA1 of the current time, to the second. Not very strong no matter how 'long' the output.