Passwords Encrypted using MD5
I read the code comments about php versions and not implementing hashing in php (a wise choice) however you can do hashing just as easily in command line, and should probably require a certain set of CLI tools for encrypting. MD5 may as well be as good as plain text. Even a PBKDF2v at 30,000 runs may not be NSA secure but will make hacking impractical.
There is a php >= 5.3 compatibility library https://github.com/ircmaxell/password_compat php 5.5 already has it built in (make sure you set the # of runs high enough).
I would argue at a bare minimum you should put up all sort of red warnings everywhere that using php < 5.3 = good as plaintext passwords.
Comments (7)
-
-
repo owner I am confused what this is in regards to... is it the encrypted account passwords stored for logins?
-
Ah sorry I wasn't clear at all... I was reviewing the source code for the password hashing algorithm and it uses just md5s with a comment as to why. While the comment is very valid, the fact is that md5 is an extremely bad choice for a hashing algorithm since it is intentionally designed for speed and is at this point considered trivial to reverse the hashing for passwords of any length.
-
- changed status to open
Leaving as open for Daim to look into unless deciding otherwise
-
Closing, due to rewrite.
-
- changed status to closed
-
repo owner Instead of putting more effort into encrypting passwords there is a good chance EVE SSO will be used instead of username password or API keys.
- Log in to comment
Sorry should have edited my issue after I wrote the 2nd part...
Command line is one option, that way it is external to php. Compatibility + red flags is another option. As it stands decrypting any password no matter how complex should take ~ 5 or so seconds per password in the worst case. With brute force.