Feature Requests
Share ideas, discuss and vote on requests from other users in community
Secure Password Storage (User Accounts / Admin Accounts)
Completed
- User Account Passwords are currently stored salted as MD5 hash in the Database (if enabled)
- Admin Account Passwords are currently only stored as unsalted MD5 hash in the Database
I think it is not a secret with tools like http://hashcat.net/oclhashcat/ to dehash MD5 - even without Rainbow Tables - in a realistic timely matter.
Instead PHP's own password hashing function should be used (which is currently bcrypt), let PHP do the random salt generation and use a cost of at least 14.
The Technical Analyst Lawrence seems to be defending himself against implementing such a simple security enhancement. A no brainer really to make WHMCS more secure.
Hi,
Thanks for taking the time to provide your feedback and votes. I'm pleased to advise that as of version 5.3.9 both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported.
If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.
Just about any encryption technique has a decryption software somewhere on the internet.
@Nathan Hilton: that statement is not fully correct.
But, your statement generally speaking has truth in it:
So I'd be careful by saying "why upgrade our security when it will be hacked in X-Years again anyway" - instead lets get a mentality of "lets keep our security always upgraded to minimize attacks beforehand"
Why do you want bcrypt? This can easily be decrypted - would you like your whmcs to be decrypted by hackers who may get into your database, get your clients credit card?
I think it is good idea to ready something about bcrypt before you will post something like you did.
First at all bcrypt is using also as one-way hashing. Same as MD5. Instead of MD5, Bcrypt is receommended wordwide by many security experts as a replacemnt for MD5. Why? Because it is safer and it is one-way HASHING.
Here you have Bruteforce comparsion chart. And look where is bcrypt...
http://stricture-group.com/files/brutalis_benchmarks.pdf
PS what kind of person are you? You have your clients credit cards store in WHMCS database :D you are crazy! Sorry but :D :D :D
I'm not talking about brute force - I'm on about decryption. It is 10x easier to decrypt bcrypt than it is MD5.
ONEWAY == NO DECRYPTION
MD5 and Bcrypt Scrypt == ONE WAY HASHING not CRYPTHING
Learn the difference between encrypthion and hashing
I know the difference as I've been doing development for 10+ years - I still don't see the reason you'd rather have Bcrypt rather than a built in feature for MySQL Databases - Both use the same method, one is just more recognized & safer than the other.
Im also in favor of bcrypt. For hashing of course.You should never store passwords encrypted. Salted and hashed and bcrypt makes it harder to compute your dumped database for an attacker. Here is a good read:
https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored
Hi,
Thanks for taking the time to provide your feedback and votes. I'm pleased to advise that as of version 5.3.9 both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported.
If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.
Comments have been locked on this page!