-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure password storage method #674
Comments
That's not the case. It is not trivial to find the plain-text password, it is affordable to get a collision which is not the real password in the most cases. Getting the real password is more likely to be done using rainbow tables. This is only true as long as you don't use a strong realm. I would suggest to automatically set a long random realm during install. But of course, I agree that md5 should be replaced as soon as possible, I just think that the problem is not as bad as you described it. |
This has already been reported in #514 |
Damn, my bad. |
Currently password are stored using md5; this isn't recommended by php itself. Something like password_hash should be used instead. If not supporting php 5.4 isn't an option (it's more than 5 years old now), crypt should be used instead.
Rationale: an attacker able to get the hash could trivially run a highly effective bruteforce attack against them, and retrieve their plain-text version.
The text was updated successfully, but these errors were encountered: