Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] password hash comparison vulnerable to timing attack #16

Closed
divinity76 opened this issue Aug 5, 2017 · 1 comment
Closed

[security] password hash comparison vulnerable to timing attack #16

divinity76 opened this issue Aug 5, 2017 · 1 comment

Comments

@divinity76
Copy link

the code used to check if the password is correct, is vulnerable to timing attacks, allowing hackers to extract the source code hash, painstakingly byte-by-byte. the comparison should be done in a timing attack safe manner.
divinity76 added a commit to divinity76/filemanager that referenced this issue Aug 5, 2017
@divinity76
change from MD5 to bcrypt, and fix a password timing attack vulnerabi…
a24e9d1 
…lity

by now using the password_ api. which also means from now on, the script REQUIRES php >=5.5.0. - or this polyfill for old php versions: https://github.com/ircmaxell/password_compat

fixes alexantr#15 and alexantr#16
@divinity76 divinity76 mentioned this issue Aug 5, 2017
Closed
@alexantr
Copy link
Owner

Sorry, but password hashing removed at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@divinity76 @alexantr