New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default config uses md5 to hash passwords #2936
Comments
https://github.com/splitbrain/dokuwiki/blob/master/_test/tests/inc/auth_password.test.php shows a list of supported algo's, I'm not sure what the default is in DW but you can choose to use a more secure algo.
|
yes, it seems that salted md5 is the default: |
For inspiration maybe you could look at the Symfony implementation? https://github.com/symfony/symfony/blob/c732122b574ecfb083d44324ac18f9508e95471d/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php The native PHP methods store the password in an encoded form like this (first and second part are algo and parameters used for hashing): $argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc8lpXRW9/S0sYY2i2jHT0 Of course php has corresponding password_verify. This enables the upgrade of the hashing algorithm after the initial user is created. A better default like bcrypt would also solve this problem for quite some time I think. |
There is already support for bcrypt: The thing is that we need to change the default. I guess |
Yep. I'm happy to switch the default to whatever is deemed more secure. It should basically be a single line change. Just pick what you like and commit ;-) |
Done. Thanks for raising the issue @Marv51! |
I believe the default configuration uses salted md5 password hashing? That is no longer considered secure.
I would suggest using the
password_hash ( string $password)
function with the default hashing algorithm by default.The text was updated successfully, but these errors were encountered: