Unsafe password hashing algorithm
A for , submitted by creativedutchmen on 19 July 2010
Announcement
Symphony's issue tracker has been moved to Github.
Issues are displayed here for reference only and cannot be created or edited.
Browse
Closed#361: Unsafe password hashing algorithm
-
-
- creativedutchmen
- Comment #1
- 19 Jul 10, 9:30 pm
-
-
- nickdunn
- Comment #2
- 19 Jul 10, 10:40 pm
There’s a random password generator in the core which could be used to generate a salt on initial install. Good idea.
-
-
- creativedutchmen
- Comment #3
- 20 Jul 10, 5:50 am
There’s a random password generator in the core which could be used to generate a salt on initial install. Good idea.
For as far as I can see, the random password generator generates a fixed length password, so simply appending (like traditional salt and pepper..:)) it to the pass is not really an option.
Maybe doing a bitwise multiplication (or something similar) is a better idea?
If I were to write some code for it, what symphony version should I use?
-
-
- Alistair
- Comment #4
- 20 Jul 10, 11:25 am
We should look at using the sha1() function in PHP for Symphony 2.1. The tricky bit is how do we upgrade existing passwords easily. This could be a pain for sites with lots of users.
-
-
- Alistair
- Comment #5
- 20 Jul 10, 7:49 pm
Done http://github.com/symphony/symphony-2/commit/03ac9494660caaa685f21ee1db106b0cdbe37531
Be sure to read the pre and post update notes provided by the updater.
-
-
- creativedutchmen
- Comment #6
- 20 Jul 10, 9:13 pm
Done
Two words: wow! thanks!
This issue is closed.
Symphony now uses md5 to hash passwords. This is a very unsafe way of hashing passwords. There are numerous sites that provide a very fast cracking of these hashes.
An alternative would be to use salts, or a completely different algorithm (like sha)