Switch password hashing algorithm #27
Comments
|
If you switch the hashing algorithm, will you then stop emailing passwords in clear text too? Because regarding security this is a no go. https://security.stackexchange.com/questions/17979/is-sending-password-to-user-email-secure But regardles this is a real cool project, thank you for your work! |
|
Mailing passwords is intended behavior right now, because it is only meant to be one time password (I'm pretty sure the email says that they should change it ASAP). This could be mitigated by having some checks in place - for example that the user would need to change password after first login. We could of course skip the mailing completely and have the admin give password to the user via a secure channel. What would be your preferred behavior? As this was at first intended to be only a school project I didn't give security much thought 🙂 |
|
I see :) Yeah, the email says it should be change ASAP, but unfortunately most of the users don't... I would recommend something, that is seen quite often (eg. WordPress):
|
|
Just a thought... Would it not make sense to follow PHP versions end of life paradigm? 5.6 will no longer be supported after 31st of Dec 2018. PHP 7.1 will be the oldest version supported after Jan 2019, so it would be normal to only support 7.1 and 7.2 from that date on... |
|
Yes that would make sense, I wanted the script to run everywhere and some hosting providers are pretty lazy to update PHP versions. But supporting 5.6+ would definitely make sense. |
When I implemented the password hashing and verification algorithm, I used older method of doing that. I don't know whether any of the current users use PHP < 5.5 but I haven't seen anything below 5.5 for a while that wasn't up-gradable to 5.5 or higher. Let me know if you need me to support PHP < 5.5 or if I can switch to
password_hashmethod.The text was updated successfully, but these errors were encountered: