Password hashing

Issue #110 on hold
Frans van der Meer created an issue

The current way of hashing passwords is not safe enough. A single MD5 hash without a salt is as good as storing passwords in plaintext. See for example freerainbowtables.com

I see 2 options here. SSHA often used in LDAP enviroments or PHPASS (my preference).

The last one is in an adapted version used in Drupal 7. See the PHPASS page for links to discussions and references to background information.

You might even support both since the hashed versions can be prefixed with the hash version (for more details see the LDAP password field or the algorithm for PHPPASS).

Comments (5)

  1. Frans van der Meer reporter

    The update routine can be something like this: 1. prefix all current hashes with {md5} (LDAP style) 2. on next login, rehash the current password (or force to change the password)

    You then can make the way passwords are hashed configurable. Although I am not a big fan of it, often {SSHA} is used in LDAP to have the same password in different systems. You then als can support the way Drupal, Wordpress, Joomla(?), sugar or vtiger does its hashing; that makes integrating or changing crm very easy...

  2. Ivica Nedeljkovic

    We decided that we will probably go with phpass, but we will not start to implement it yet because we are busy with other things, and new password encryption system should take care of existing user passwords - let users select new password.

    Frans, would you maybe be interested to contribute to Zurmo, and help us with new password encryption method?

  3. Frans van der Meer reporter

    No problem. Quite busy with client work these days, but after next week I will look into it. I'll send a pull request!

  4. Log in to comment