New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Hashing #89
Comments
👍 There is no max length for passwords. We only save a hash and the hash is not longer then 35 chars. Also if your password has 100 chars the hash has 30. I support your idea of a new hash if user has stored pw in old way. So if checkLogin was successfull then we should update password to new hash if its the old way. But we need a way to identify the password hash method. Now phpass stored a $ at first chars. We could not removed phpass because you always have old passwords. you dont know when users logged in again. Maybe after 5 years someone logged in again and had stored his password with phpass. |
I want to (nearly) remove a max length limit. (i want to set it at least to 64 or 128 chars) i allready postet the possible detection patterns. i only need more infos to the I anyway think we could drop
I want to make a new class |
Some Links: What i found out:
Summary:
|
I don't know why there is the limit for 30 chars for usr_new_password. This field is only used if a new password is generated through "password forgotten". This limit could be removed. If blowfish needs 60 chars for his hash, then we make varchar(60) fields for usr_password and usr_new_password. No problem. Is CRYPT_BLOWFISH also a portable hash? This is important because if the database is moved to a new server we must also be able to build the same hash for login. If possible we should only use one new method for password encryption. A own class for password handling could be useful. |
I don't know that there is a hashing function that you couldn't move them to an other db? they are only strings... Ok i got it why there is this 30 chars check: |
see #91 |
merged |
Drop the lib phpass and use the nativ password hashing functionality of php with the fallback lib password-compat to support
PHP 5.3.7+
I will leave
phpass
in admidio the get backbard compatibility.If the user sucessfully logged in the next time, the password get rehashed with the new algorithm.
So i hope to really remove
phpass
with Admidio 3.2 or 3.3I only need some infos to the now used algorithms to detect which algo was used to got this hash:
$P$
)_
)$2$
)I will use the option
PASSWORD_DEFAULT
to get always the strongest possible algorithm (today only bcrypt)If i understand the current code correct:
it isn't possible to enter passwords longer than 30 chars because of the need to check if the password string is longer than 30 than it is allready an hash or if it less than it is the original unhashed password.
I will try to fix that. there should never be a limit of password length or limitation to some chars
The text was updated successfully, but these errors were encountered: