Fork me on GitHub
Subscribe 6

Ticket #1069 (open enhancement)

Stronger password hashes (and salts)

  • Created: 2015-12-28 17:29:00
  • Reported by: Studio384
  • Assigned to: None
  • Milestone: 1.6
  • Component: security
  • Priority: highest

FluxBB tends to save passwords in SHA-1 which isn't such a secure algorithm anymore. We should consider moving to a more secure algorithm and salts.

Perhaps something for 1.6?

History

Visman 2015-12-28 17:51:13

Need a unique salt for each user.

Studio384 2015-12-28 18:32:00

  • Milestone set to 1.6.
  • Priority changed from high to highest.

Well... with SHA-1 now so easy to decrypt...

TheBritain 2016-01-12 23:57:23

My users are going to be pissed at ANOTHER password change, this will be the third one. I suppose it's needed though. This might sound irresponsible, but is it to much to ask for a converter that takes your old has key, and then converts users passwords over when this is implemented?

Studio384 2016-01-13 07:40:33

What? We can simply convert the password at first login, no need for the users to do - or even notice - anything.

Franz 2016-01-14 07:18:18

Plus, we can securely hash the old hashes on first update and use that algorithm to check whether the password needs an upgrade. smile

adaur 2016-04-13 06:21:59

If we support PHP >= 5.5, we could (should) use password_hash http://php.net/manual/fr/function.password-hash.php

Otherwise, there is a library for older PHP versions
https://github.com/ircmaxell/password_compat

Visman 2016-04-13 07:50:04

Otherwise, there is a library for older PHP versions
https://github.com/ircmaxell/password_compat

This library uses including the openssl_random_pseudo_bytes() function: https://github.com/ircmaxell/password_c … d.php#L112
Ticket #1081 openssl_random_pseudo_bytes() is not cryptographically secure: https://fluxbb.org/development/core/tickets/1081/

tyzoid 2017-11-27 02:21:54

  • Uploaded patch fluxbb_password.patch. (view)

I've currently got this in a PR: fluxbb/pull/206

Attached is the patch file from that PR. It uses password_hash, but falls back to the same functionality as currently if not available. Using the library to fill this void for older PHP versions may be useful.

This patch will cause fluxbb to transparently convert sha1 hashes to the new/more secure password_hash as users log in.