From eabfe0769b11782a499c7d9d0c0f3a6f9c34b644 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Fri, 9 Mar 2018 04:48:17 +0100
Subject: [PATCH] Update explanation for new PW hash check.

---
 resources/lang/en_US/firefly.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/lang/en_US/firefly.php b/resources/lang/en_US/firefly.php
index 99bc758bd0..f5e15f7b4c 100644
--- a/resources/lang/en_US/firefly.php
+++ b/resources/lang/en_US/firefly.php
@@ -500,10 +500,10 @@ return [
     'what_is_pw_security'                      => 'What is "verify password security"?',
     'secure_pw_title'                          => 'How to choose a secure password',
     'secure_pw_history'                        => 'In August 2017 well known security researcher Troy Hunt released a list of 306 million stolen passwords. These passwords were stolen during breakins at companies like LinkedIn, Adobe and NeoPets (and many more).',
-    'secure_pw_check_box'                      => 'By checking the box, Firefly III will send the SHA1 hash of your password to <a href="https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/">the website of Troy Hunt</a> to see if it is on the list. This will stop you from using unsafe passwords as is recommended in the latest <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special Publication</a> on this subject.',
+    'secure_pw_check_box'                      => 'By checking the box, Firefly III will send the first five characters of the SHA1 hash of your password to <a href="https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/">the website of Troy Hunt</a> to see if it is on the list. This will stop you from using unsafe passwords as is recommended in the latest <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special Publication</a> on this subject.',
     'secure_pw_sha1'                           => 'But I thought SHA1 was broken?',
     'secure_pw_hash_speed'                     => 'Yes, but not in this context. As you can read on <a href="https://shattered.io/">the website detailing how they broke SHA1</a>, it is now slightly easier to find a "collision": another string that results in the same SHA1-hash. It now only takes 10,000 years using a single-GPU machine.',
-    'secure_pw_hash_security'                  => 'This collision would not be equal to your password, nor would it be useful on (a site like) Firefly III. This application does not use SHA1 for password verification. So it is safe to check this box. Your password is hashed and sent over HTTPS.',
+    'secure_pw_hash_security'                  => 'This collision would not be equal to your password, nor would it be useful on (a site like) Firefly III. This application does not use SHA1 for password verification. So it is safe to check this box. Your password is hashed and only the first five characters of this hash are sent over HTTPS.',
     'secure_pw_should'                         => 'Should I check the box?',
     'secure_pw_long_password'                  => 'If you just generated a long, single-use password for Firefly III using some kind of password generator: <strong>no</strong>.',
     'secure_pw_short'                          => 'If you just entered the password you always use: <em>Please yes</em>.',