Stop using md5 and sha1 #105
Comments
|
Having a lookback to 2014, here we are in 2015 someday, and yet this issue is not fixed? |
|
While I have been so busy, I haven't had time to update in a while, I admit Have those addressing the issues contributed fixes for them? Just curious, I'd like to spend more of my time on this but lately, I've been to busy to do
|
Hello, I skimped through the code very briefly and was shocked by the security of the software.
Hashing for the password is very weak, users are using md5 hash function through MySQL while admins are using PHP sha1 as the hash. Although the admin's password was salted, the salt was not an unique one for every installation.
Over the years, sha1 and md5 has been considered to be weak since they can be deciphered/decrypted.
The PHP dev team had strongly suggested the use of crypt() or password_hash() which is a simple crypt() wrapper and compatible with existing password hashes.
There are also articles like this out there that supports the use of bcrypt and not sha1/2/3/256/512 or md5, etc.
References for the code:
@mysql_query("INSERT INTO users (date_created,sso_user,sso_pass,username,password,email_address,first_name,last_name) VALUES(NOW(),AES_ENCRYPT('$username', '$enc_key'),AES_ENCRYPT('$password', '$enc_key'),'$username',MD5('$password'),'$email','$first_name','$last_name')") or die('Failed to create user: '.mysql_error());$password = base64_encode(sha1('ZzaX'.$password.'GPX88'));The text was updated successfully, but these errors were encountered: