Security: Use password_hash() rather than hash()

[PhrozenByte]

pico-users/PicoUsers.php

Line 179 in 3e20e69

$users = $this->search_users($name, hash($this->hash_type, $pass));

hash() is no password hashing function (at least not as-is)! Even more important: Never use a password hash function without salt. Use password_hash() instead.

Unfortunately password_hash() requires >= PHP 5.5. If you still want to support PHP 5.3 and PHP 5.4 (as Pico does), you can use https://github.com/ircmaxell/password_compat. You might want to take a look at how Pico's official admin plugin (still work in progress) takes care of this:

• https://github.com/PhrozenByte/pico-admin/blob/bacba2086dd7eee25e8d54a3b86085a3f0ca27f7/PicoAdmin.php#L133-L135
• https://github.com/PhrozenByte/pico-admin/blob/bacba2086dd7eee25e8d54a3b86085a3f0ca27f7/PicoAdmin.php#L257-L271

[PhrozenByte]

IMO this shouldn't be optional, using hash() without a salt and without a huge number of hashing rounds makes brute force attacks - even with long passwords - very easy. password_hash takes care of this.

Simply move your PicoUsers.php together with ircmaxell/password_compat's password.php to a new PicoUsers/ directory and do a require_once('password.php').