Hey Josh, > I'm not a cryptographer either, but note that SHA-1 is used by Git and others for its speed. For hashing passwords, this is a bug, not a feature -- checking passwords should be slow rather than quick. One hash function designed for passwords is bcrypt(). Yes, absolutely. There is a lot of thought that has gone into this. You can spend a long time trying to decide on a better strategy, and sha1 is no longer considered a particularly good strategy. I will point out that the appdb is a completely volunteer effort, and I think it needs volunteers badly. So, patches are more than welcome <evil grin>. Cheers, Jeremy
