>>
>>Hmm...so it appears SHA1 is falling out of favor. SHA 2 (w/512 bit digest) is probably a better choice at this point.
>>Here's an interesting article about it:
>>
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/>>
>>Still, it seems like maybe performing some translation or calculation on the salt before adding it to the password should help mitigate this somewhat. Just having the salt and password hash wouldn't be enough - you'd also need to know what the transform looked like on the salt (although I'd bet that if you could recover a few of them the transform would probably be easy to recover if you're not careful). Shrug - this encryption/hashing stuff is hard.
>
>
>I'm using md5 to calculate a hash of a password.
>
>I start off with the hash of the password. Then, I do a series of hashes where each new hash is done with the previous hash + a substring of the password
>The number of additional hashes depends on (1) the password length and (2) the byte value of each of the bytes modulo a number
>If you don't know how I hash, how can you crack it - I wonder
mmmh, but consider the case where the hacker has at least 1 couple of pwd and hash - his very own ? probably he'd fire up 20 or 666 new pwds just after finding an open door, to load the last entries with known data to get a chance at finding such things out ?