Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uses MD5 for Authentication #73

Open
AlexBestoso opened this issue Jun 18, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@AlexBestoso
Copy link

commented Jun 18, 2019

I was playing with the source code, and noticed that the php login uses an unsalted MD5 hashing function. The issue was easy to fix, though I felt like you should be aware.

Replacing md5 hashing functions with hash('sha512', $password, FALSE) seems to have worked for me. After changing user_password entries in the db, and looking through the php files.

@ajdonnison

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2019

Given there will be existing sites out there we need to add a little to handle the transition. I agree we need to update the hash function, I don't agree we force sites to update all their passwords manually.

@AlexBestoso

This comment has been minimized.

Copy link
Author

commented Jun 20, 2019

I agree.
Perhaps a system that has users type in their user and password into the login form.

On post, query for user_username. If the username exists, check if user_password is not the length of a SHA512 sum.

If not the length of a SHA512 sum, hash the password with MD5 and authenticate, else hash with SHA512.

If the user authenticates with MD5. Hash the original password again, but this time using a stronger algorithm. Then update the SQL database entry where user_username="form input".

SHA-1 has a collision vulnerability that was discovered in 2017, so that one can't be used.
The idea needs to be refined to ensure no passwords or hashes are accidentally leaked.

@ajdonnison

This comment has been minimized.

Copy link
Contributor

commented Jul 16, 2019

Yep, that is pretty much the way I think it should go too. Are you up for creating a pull request for that?

@AlexBestoso

This comment has been minimized.

Copy link
Author

commented Jul 18, 2019

Sure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.