Secure Password Storage (User Accounts / Admin Accounts)
-
Gunter Grodotzki shared this idea 11 years ago
- Admin Area
- 9 Comments
13
Votes
- User Account Passwords are currently stored salted as MD5 hash in the Database (if enabled)
- Admin Account Passwords are currently only stored as unsalted MD5 hash in the Database
I think it is not a secret with tools like http://hashcat.net/oclhashcat/ to dehash MD5 - even without Rainbow Tables - in a realistic timely matter.
Instead PHP's own password hashing function should be used (which is currently bcrypt), let PHP do the random salt generation and use a cost of at least 14.
The Technical Analyst Lawrence seems to be defending himself against implementing such a simple security enhancement. A no brainer really to make WHMCS more secure.
Merged Ideas
Improve encryption
I'd like to see a better encryption method than MD5 to be implemented.Because seriously, MD5? There's no excuse for using MD5!Use bcrypt or mcrypt maybe, because MD5 is just ridiculous!
I'd like to see a better encryption method than MD5 to be implemented.Because seriously, MD5? There's no excuse for using MD5!Use bcrypt or mcrypt maybe, because MD5 is just ridiculous!
Bcrypt instead of MD5
Hi, I hope iam not the only one who want bcrypt or scrypt instead of MD5 hashing for passwords in database.
Hi, I hope iam not the only one who want bcrypt or scrypt instead of MD5 hashing for passwords in database.
Featured Comment
Thanks for taking the time to provide your feedback and votes. I'm pleased to advise that as of version 5.3.9 both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported.
If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.