Default config uses md5 to hash passwords #2936
Comments
|
https://github.com/splitbrain/dokuwiki/blob/master/_test/tests/inc/auth_password.test.php shows a list of supported algo's, I'm not sure what the default is in DW but you can choose to use a more secure algo.
|
|
yes, it seems that salted md5 is the default: |
|
For inspiration maybe you could look at the Symfony implementation? https://github.com/symfony/symfony/blob/c732122b574ecfb083d44324ac18f9508e95471d/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php The native PHP methods store the password in an encoded form like this (first and second part are algo and parameters used for hashing): $argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP4cmSJI1vc8lpXRW9/S0sYY2i2jHT0 Of course php has corresponding password_verify. This enables the upgrade of the hashing algorithm after the initial user is created. A better default like bcrypt would also solve this problem for quite some time I think. |
|
There is already support for bcrypt: The thing is that we need to change the default. I guess |
|
Yep. I'm happy to switch the default to whatever is deemed more secure. It should basically be a single line change. Just pick what you like and commit ;-) |
|
Done. Thanks for raising the issue @Marv51! |
I believe the default configuration uses salted md5 password hashing? That is no longer considered secure.
I would suggest using the
password_hash ( string $password)function with the default hashing algorithm by default.The text was updated successfully, but these errors were encountered: