Fork me on GitHub
Subscribe 5

Ticket #1069 (open enhancement)

Stronger password hashes (and salts)

  • Created: 2015-12-28 17:29:00
  • Reported by: Studio384
  • Assigned to: None
  • Milestone: 1.6
  • Component: security
  • Priority: highest

FluxBB tends to save passwords in SHA-1 which isn't such a secure algorithm anymore. We should consider moving to a more secure algorithm and salts.

Perhaps something for 1.6?

History

Visman 2015-12-28 17:51:13

Need a unique salt for each user.

Studio384 2015-12-28 18:32:00

  • Milestone set to 1.6.
  • Priority changed from high to highest.

Well... with SHA-1 now so easy to decrypt...

TheBritain 2016-01-12 23:57:23

My users are going to be pissed at ANOTHER password change, this will be the third one. I suppose it's needed though. This might sound irresponsible, but is it to much to ask for a converter that takes your old has key, and then converts users passwords over when this is implemented?

Studio384 2016-01-13 07:40:33

What? We can simply convert the password at first login, no need for the users to do - or even notice - anything.

Franz 2016-01-14 07:18:18

Plus, we can securely hash the old hashes on first update and use that algorithm to check whether the password needs an upgrade. smile

adaur 2016-04-13 06:21:59

If we support PHP >= 5.5, we could (should) use password_hash http://php.net/manual/fr/function.password-hash.php

Otherwise, there is a library for older PHP versions
https://github.com/ircmaxell/password_compat

Visman 2016-04-13 07:50:04

Otherwise, there is a library for older PHP versions
https://github.com/ircmaxell/password_compat

This library uses including the openssl_random_pseudo_bytes() function: https://github.com/ircmaxell/password_c … d.php#L112
Ticket #1081 openssl_random_pseudo_bytes() is not cryptographically secure: https://fluxbb.org/development/core/tickets/1081/