Fork me on GitHub
Subscribe 6

Ticket #1069 (fixed enhancement)

Stronger password hashes (and salts)

  • Created: 2015-12-28 17:29:00
  • Reported by: Studio384
  • Assigned to: Franz
  • Milestone: 1.6
  • Component: security
  • Priority: highest

FluxBB tends to save passwords in SHA-1 which isn't such a secure algorithm anymore. We should consider moving to a more secure algorithm and salts.

Perhaps something for 1.6?

History

Visman 2015-12-28 17:51:13

Need a unique salt for each user.

Studio384 2015-12-28 18:32:00

  • Milestone set to 1.6.
  • Priority changed from high to highest.

Well... with SHA-1 now so easy to decrypt...

TheBritain 2016-01-12 23:57:23

My users are going to be pissed at ANOTHER password change, this will be the third one. I suppose it's needed though. This might sound irresponsible, but is it to much to ask for a converter that takes your old has key, and then converts users passwords over when this is implemented?

Studio384 2016-01-13 07:40:33

What? We can simply convert the password at first login, no need for the users to do - or even notice - anything.

Franz 2016-01-14 07:18:18

Plus, we can securely hash the old hashes on first update and use that algorithm to check whether the password needs an upgrade. smile

adaur 2016-04-13 06:21:59

If we support PHP >= 5.5, we could (should) use password_hash http://php.net/manual/fr/function.password-hash.php

Otherwise, there is a library for older PHP versions
https://github.com/ircmaxell/password_compat

Visman 2016-04-13 07:50:04

Otherwise, there is a library for older PHP versions
https://github.com/ircmaxell/password_compat

This library uses including the openssl_random_pseudo_bytes() function: https://github.com/ircmaxell/password_c … d.php#L112
Ticket #1081 openssl_random_pseudo_bytes() is not cryptographically secure: https://fluxbb.org/development/core/tickets/1081/

tyzoid 2017-11-27 02:21:54

  • Uploaded patch fluxbb_password.patch. (view)

I've currently got this in a PR: fluxbb/pull/206

Attached is the patch file from that PR. It uses password_hash, but falls back to the same functionality as currently if not available. Using the library to fill this void for older PHP versions may be useful.

This patch will cause fluxbb to transparently convert sha1 hashes to the new/more secure password_hash as users log in.

Franz 2019-01-03 23:33:36

  • Owner set to Franz.

Franz 2019-01-04 10:04:18

  • Status changed from open to fixed.

Commit 1ad12d2 to fluxbb 1.6-next

Merge branch '1.6-tyzoid-password-hashes' into 1.6-next

Fixes #707.
Fixes #1069.

Franz 2019-01-06 20:38:24

Commit de16e3e to fluxbb master

Configure password hashing for installation

Refs #1069.

quy 2019-01-08 17:17:44

Per PHP doc, the password length should be at least 60, but it is currently only 40 thus truncating the hash. What should be the desired length? Please decide and submit PR. Thanks.

PASSWORD_DEFAULT (integer)

    The default algorithm to use for hashing if no algorithm is provided. This may change in newer PHP releases when newer, stronger hashing algorithms are supported.

    It is worth noting that over time this constant can (and likely will) change. Therefore you should be aware that the length of the resulting hash can change. Therefore, if you use PASSWORD_DEFAULT you should store the resulting hash in a way that can store more than 60 characters (255 is the recomended width).

quy 2019-01-08 17:35:32

Commit 6ab6836 to fluxbb master

Make password field VARCHAR(255) to support password_hash

Fixes #1069.

Franz 2019-01-08 18:13:49

Oh, thanks! That was an oversight, that code had been added to the DB update script.