-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing password hashing algorithm from sha1 #68
base: master
Are you sure you want to change the base?
Conversation
to bcrypt using the password_hash() function. We now transfer the password in plain from client to server, before we sha1 hashed it. So make sure you have ssl activated for wedge. I completely rewrote the login authentication, the old code was full of compatibilty stuff which is not needed anymore in my opinion. Login stuff should be as short and simple as possible to make sure it's not buggy. This is still WIP, currently you have to change the {db_prefix}members passwrd column to VARCHAR(255) to make this work properly.
May be better to move the cost to a $settings var or something similar, mainly because many crappy free hostings will choke on a 10 cost and also give a chance to those lucky ones to use a higher cost too. Either on install or upgrade, use the function provided at php docs As for setting the cookies, I wouldn't worry about hashing the password, instead add a new table with a token and a expiration value. The good thing about this is that the password isn't set and this works on a "per computer" basis, if the token gets compromised the password is still secured and you can easily destroy the compromised token from your own table by deleting the record, I have a working class and so far I haven't see any issues with it. |
@MissAllSunday thanks for reviewing this (and sorry for me taking so much time to answer)
This was (or is) planned. Just don't know when to finish and how to test this thing, because it's a bit critical to change this thing :D Changing this to use a variable from Settings.php should be simple enough.
I'm using those methods, what do you mean? Maybe i didn't get your point :)
The problem i had was that the session cookie was somehow getting generated on base of the hashed password (if i remember correctly). For me this behaviour sounds a bit weird and maybe we could just change that. |
What's the latest news on this..? Are there any news actually..? |
Nope, not any at all. If you find some time and think it's worth to replace sha1 with bcrypt, maybe this pull request is a good base. If i remember correctly most of the thinks worked. Except of maybe changing your password or something like that, but the login (and updating the old sha1 password with the new bcrypt thing if the old password hashes matched) worked. I would love to find some time to get this working... at some day i will pick this one up again ^^ |
Well, I don't know, I'm a bit rusty with the password-related codebase. (Mostly because Lestrades.com doesn't use password, instead getting tokens from the Steampowered.com website... Much easier to register that way.) |
Technically, changing one's password matters a lot I'd say... ;) Also: would it require a database update or everyone to log in again, if one simply updated their forum files with this..? |
to bcrypt using the password_hash() function.
We now transfer the password in plain from client to server, before we sha1 hashed it. So make sure
you have ssl activated for wedge. I completely rewrote the login authentication, the old code was full of compatibilty stuff which is not needed anymore in my opinion. Login stuff should be as short and simple as possible to make sure it's not buggy.
This is still WIP, currently you have to change the {db_prefix}members passwrd column to VARCHAR(255) to make this work properly.
Working:
Not working: