Comments (5)
This custom class is based and fully compatible with phpass, which is used by major PHP applications, including WordPress. Although salted MD5 is not secure, the phpass algorithm uses password stretching to make generating the hash much more computationally expensive, and therefore more secure.
from webissues.
Stretching the password may be more secure, but is still not comparable with bcrypt, which is used in password_hash
by default.
Also given that the authors from phpass say own their Website to not use it unless the Project requires < PHP 5.5, which is not the case here.
At this time, if your new project can afford to require PHP 5.5+, which it should, please use PHP's native password_hash() / password_verify() API instead of phpass.
I don't see the point in not using the native functions with a better Hashing Algorithm. The only downside would be, that Users have to re-enter/change their password one time. Given the gain in Security is a no-brainer in my opinion. Although, this could be mitigated by using both - phpass and the native functions - for a short time. Deprecating phpass, and only using it to check passwords, but not store new ones. When logging in, if the phpass check method returns false, also check the password_verify
function. Also, notify the Users in the client to re-enter their password to use the better hashing algorithm. And eventually, remove phpass completely in a few releases.
I also don't know, if WordPress is the best Password Security Benchmark for this. They also don't use the Vanilla phpass library. They modified it to use 8192 iterations when hashing. Frameworks like Drupal 7 changed phpass to use SHA-512. (Ref)
It is not hard to crack a Password generated with phpass, there are multiple tools, like hashcat, that have support for this exact hash type. Cracking simple passwords in 1-10 Seconds, more complex in a few minutes. No Hashing Alogrymptm is perfect, but this is just too fast and renders the hashing itself obsolete.
I would fork this anyway and implement it in such a way since we plan on using this tool. I can open a PR regarding this if wanted.
from webissues.
You're welcome to open a PR. I have nothing against using password_hash as long as the current hashes continue to work - they can be updated automatically when the user logs in.
from webissues.
I can only think of two solutions for this problem since it's not possible to rehash the old md5 hash with bcrypt:
- Accept the md5 for checking the password, so the users can still log in and set
passwd_temp
for everyone to true so that they can enter a new password or the same that gets hashed with bcrypt. - Accept the md5 for checking the password, but display a warning alert, describing that it's recommended to change the password if it's not encrypted with bcrypt.
In both cases, only the md5 methods for checking the password would still be present. Everything with generating new hashes would be handled by password_hash
with bcrypt.
from webissues.
They don't have to enter a new password. When a user logs in and the password is validated using phpass, it can be automatically hashed using password_hash and updated in the database.
from webissues.
Related Issues (19)
- [WISH] Minor requests about CSV exporting HOT 1
- [WISH] Autoselect folder type when only one exists in the list HOT 4
- [WISH] Close dialogs with ESC key HOT 1
- [BUG] Site gets "unexpected error" when changing PHP version to 7.2.7 under IIS HOT 2
- [WISH] Add selection value "all types" for type selection in overview HOT 1
- [WISH] Be able to adjust column width in View Setting HOT 1
- [BUG] Unexpected Error occurs when search by custom field HOT 3
- [QUESTION] Is the Email Notification Function is gone is this new version? HOT 6
- [WISH] Make all dropdowns searhables
- [WISH] fulltext search HOT 5
- date filters do not work when setting a view HOT 3
- Issue id not sequential HOT 2
- Set base URL for notification emails HOT 2
- Unexpected error en registration process HOT 8
- Dont allow anon users to download or even see attachments HOT 2
- Is this project alive, healthy and open to contribution ? HOT 1
- Upgrade error from 1.1.5 to 2.0.5
- Header modification
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webissues.