Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2020-01-10 23:18:52

oli_v_ier
Member
Registered: 2008-09-21
Posts: 47

password_hash

Hi,

https://eprint.iacr.org/2020/014.pdf

Please no more SHA1 in fluxBB ! The right solution is to use password_hash (native function in PHP since 5.5). How ?

Offline

#2 2020-01-11 03:01:48

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,289
Website

Offline

#3 2020-01-11 10:38:55

oli_v_ier
Member
Registered: 2008-09-21
Posts: 47

Re: password_hash

Cool.
Is there a way to extract the function and integrate it with FluxBB 1.5.11 without updating the rest? Has anyone done it?
Or is Master functional and can I upgrade my FluxBB 1.5.11 to Master?

Given the recent discoveries on SHA1, passwords are almost no longer secure on FluxBB.

Offline

#4 2020-01-16 15:25:45

artoodetoo
Member
From: Far-Far-Away
Registered: 2008-05-11
Posts: 226

Re: password_hash

oli_v_ier wrote:

Given the recent discoveries on SHA1, passwords are almost no longer secure on FluxBB.

With one note: if your database got into attackers. This is not a very likely event, right? smile
Assuming that an attacker has direct access to your database or files, he does not need to decrypt passwords at all.


I'm not a fan of FluxBB way anymore.

Offline

#5 2020-01-16 16:04:59

oli_v_ier
Member
Registered: 2008-09-21
Posts: 47

Re: password_hash

artoodetoo wrote:

With one note: if your database got into attackers. This is not a very likely event, right? smile

It's true, but if the risk is so low, why encrypt passwords?
https://en.wikipedia.org/wiki/File:IC-R … mplate.jpg

I believe that when we take responsibility for storing passwords, it is our duty to use the best available means so that they are well protected. Efficient encryption is available, let's use it.
In the event of hacking of the data base the hacker will be able to associate email address and password which can lead to identity theft.

Offline

#6 2020-01-16 21:30:51

artoodetoo
Member
From: Far-Far-Away
Registered: 2008-05-11
Posts: 226

Re: password_hash

Agreed


I'm not a fan of FluxBB way anymore.

Offline

Board footer

Powered by FluxBB