Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwords are stored in an insecure un-salted form #57

Open
jammin84 opened this issue Feb 10, 2016 · 2 comments
Open

Passwords are stored in an insecure un-salted form #57

jammin84 opened this issue Feb 10, 2016 · 2 comments
Labels
enhancement

Comments

@jammin84
Copy link
Contributor

password stored in the db is a straight md5 unsalted.
as seen in
globals/classes/userdata.php:83
$this->check_login($username, md5($password))

At a minimum I would expect:

  • some kind of salt be used.
    • The salt could be generated at time of install.
  • Dont use md5 (its easily crackable)
  • Use an open platform.

other suggestions welcome
@spinza
Copy link
Contributor

spinza commented Feb 10, 2016

Sounds good. We are probably moving our sign-in to be based on our forum. I.e. not using wind login at all. Enables tighter integration. Will post an issue for that soon.

@MDE186
Copy link
Contributor

MDE186 commented Jun 27, 2016
edited
Loading

Hashing Passwords with the PHP 5.5 Password Hashing API

https://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/
https://github.com/Antnee/phpPasswordHashingLib
https://github.com/ircmaxell/password_compat - PHP 5.3.7 (or later)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spinza @jammin84 @MDE186