Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security(passwords): switches password hashing to password_hash() #7594

Merged
merged 1 commit into from Dec 3, 2014
Merged

security(passwords): switches password hashing to password_hash() #7594

merged 1 commit into from Dec 3, 2014

Conversation

mrclay
Copy link
Member

@mrclay mrclay commented Dec 3, 2014

(replaces #7495)

This gradually migrates users to modern hashes as they log in; deprecates
setting the salt/password attributes in favor of a new setPassword() method
(setting salt/password continues to work but will revert the user to the
legacy MD5 hashing); and moves core password functionality to a
PasswordService object.

Fixes #4665.

@mrclay mrclay mentioned this pull request Dec 3, 2014
Closed
4 tasks
@mrclay mrclay added this to the Elgg 1.10.0 milestone Dec 3, 2014
juho-jaakkola
juho-jaakkola reviewed Dec 3, 2014
View reviewed changes
engine/classes/Elgg/PasswordService.php
notify_user($user->guid,
elgg_get_site_entity()->guid,
_elgg_services()->translator->translate("email:$ns:subject"),
_elgg_services()->translator->translate("email:$ns:body", array($user->username, $password)),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pass in user's language as the third parameter to the translate() calls.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx. Fixed here and in sendNewPasswordRequest()

juho-jaakkola
juho-jaakkola reviewed Dec 3, 2014
View reviewed changes
engine/lib/upgrades/2014111800-1.10.0-better_hashes-536087bbb2dbc82b.php
ALTER TABLE {$dbprefix}users_entity
ADD `password_hash` varchar(255) NOT NULL DEFAULT ''
AFTER `salt`
");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: the upgrade name implies that running this upgrade makes hashes better, but in fact it only adds a new column.

@juho-jaakkola
Copy link
Member

LGTM in general

@mrclay
security(passwords): switches password hashing to password_hash()
2ae4aed 
This gradually migrates users to modern hashes as they log in; deprecates
setting the salt/password attributes in favor of a new setPassword() method
(setting salt/password continues to work but will revert the user to the
legacy MD5 hashing); and moves core password functionality to a
PasswordService object.

Fixes Elgg#4665
mrclay added a commit that referenced this pull request Dec 3, 2014
@mrclay
Merge pull request #7594 from mrclay/4665_110
69c91fe 
security(passwords): switches password hashing to password_hash()
@mrclay mrclay merged commit 69c91fe into Elgg:1.10 Dec 3, 2014
@Srokap Srokap removed the in progress label Dec 3, 2014
@mrclay mrclay deleted the 4665_110 branch December 3, 2014 14:12
@mrclay
Copy link
Member Author

mrclay commented Dec 3, 2014

@juho-jaakkola I addressed your comments and pulled the trigger.

@ewinslow
Copy link
Contributor

ewinslow commented Dec 3, 2014

Woohoo this is a big improvement!

@jdalsem jdalsem mentioned this pull request Dec 4, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
Elgg 1.10.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mrclay @juho-jaakkola @ewinslow @Srokap