[thephyber]

I think gp is complaining that the second you type your password into the form, you've "used it", hence you should change it.

The gp makes a good point, but that's also why you can submit the `sha1($your_password)` instead. The only question is why did Troy allow un-hashed passwords to be submitted.

[jaclaz]

Maybe - even better - if you could submit only - say - first 8 characters of the SHA1 (and NOT the complete hash) and provide - still say - max 10 "whole" hashes found with that 8 char beginning (if more than 10 ask for a ninth char).

I mean, here is the SHA1 of my password (not really):

d012f68144ed0f121d3cc330a17eec528c2e7d59

This site:

https://hashkiller.co.uk/sha1-decrypter.aspx

>We have a total of just over 312.072 billion unique decrypted SHA1 hashes since August 2007.

Took exactly 221 ms to reverse it to "pippo".