You're not reading what I'm saying, either that or you're choosing to misinterpret me.
Brute force is a plausible attack against anything. No, doofus, I don't mean that you sit there and try to decrypt the SHA-1 - that's impossible. Instead, once you have the salt (which you can have easily since it's in the code which we've already surmised you have access to), you start with the dict database, and then various crack databases out there. In comparatively little time, you're likely to have cracked some 50+% of the passwords in that salted, SHA-1'ed database.
Unless, of course, the cretinously short-sighted designers of the system were so up their own arses about security that they put in all sorts of rules about what you can put in your passwords, requiring symbols, numbers, and no recognisable words, etc. In those cases, we can safely assume that the system is indeed secure - it's also secure from quite a sizeable percentage of users, who won't bother themselves with it.
2) Who said anything about HTTPS transactions? 99.9% of the logins are not HTTPS'ed. If I really want to sniff your fucking password that you use for everything, I'll sniff it from one of those other sites that don't have HTTPS login forms.
Now please stop assuming that everyone is as dumb as you and understand that there are people out there who are vastly more skilled at cracking systems than you can contemplate, and they will fuck you sideways should they really want to. And no, there's nothing you can do to protect yourself against them, other than not be online.
This should not be so surprising. It's the same offline. If someone really wants to kill you, particularly if you don't know that they do, and they're skilled enough at it, you're dead.
Brute force is a plausible attack against anything. No, doofus, I don't mean that you sit there and try to decrypt the SHA-1 - that's impossible. Instead, once you have the salt (which you can have easily since it's in the code which we've already surmised you have access to), you start with the dict database, and then various crack databases out there. In comparatively little time, you're likely to have cracked some 50+% of the passwords in that salted, SHA-1'ed database.
Unless, of course, the cretinously short-sighted designers of the system were so up their own arses about security that they put in all sorts of rules about what you can put in your passwords, requiring symbols, numbers, and no recognisable words, etc. In those cases, we can safely assume that the system is indeed secure - it's also secure from quite a sizeable percentage of users, who won't bother themselves with it.
2) Who said anything about HTTPS transactions? 99.9% of the logins are not HTTPS'ed. If I really want to sniff your fucking password that you use for everything, I'll sniff it from one of those other sites that don't have HTTPS login forms.
Now please stop assuming that everyone is as dumb as you and understand that there are people out there who are vastly more skilled at cracking systems than you can contemplate, and they will fuck you sideways should they really want to. And no, there's nothing you can do to protect yourself against them, other than not be online.
This should not be so surprising. It's the same offline. If someone really wants to kill you, particularly if you don't know that they do, and they're skilled enough at it, you're dead.