Closed bartgrantham closed 1 year ago
Sorry for being a bit late to reply. And right you are. As you may know from looking at the code, we support auth modules, and we have one that will replace the default login scheme. We will push this to the repository in v1.0.1. It uses a keypair for the authentication and is much more secure.
Thank you for the feedback!
https://github.com/FriendUPCloud/friendup/tree/master/modules/login/secure
[LoginModules]
use = php.authmod modules = secure,fcdb
[Module]
login = modules/login/secure/secure.php;
You shouldn't hash passwords with SHA-256, and if you insist on hashing with SHA-256 with a salt you shouldn't publish the salt. The salt should be random per installation and treated as sensitive data like an encryption key.
Best practice is to use bcrypt (best) or PBKDF2 (a close second) to make generation of rainbow tables impractical. Here's a pretty good primer on password management.