Passwords are insecure

[bartgrantham]

You shouldn't hash passwords with SHA-256, and if you insist on hashing with SHA-256 with a salt you shouldn't publish the salt. The salt should be random per installation and treated as sensitive data like an encryption key.

Best practice is to use bcrypt (best) or PBKDF2 (a close second) to make generation of rainbow tables impractical. Here's a pretty good primer on password management.

[titlestad]

Sorry for being a bit late to reply. And right you are. As you may know from looking at the code, we support auth modules, and we have one that will replace the default login scheme. We will push this to the repository in v1.0.1. It uses a keypair for the authentication and is much more secure.

Thank you for the feedback!

[AceZeroX]

1. Have to have this folder in the login module

https://github.com/FriendUPCloud/friendup/tree/master/modules/login/secure

2. Update this to /build/cfg/cfg.ini

[LoginModules]

use = php.authmod modules = secure,fcdb

3. Create file in /build/cfg/ called secure.ini and put this data in

[Module]

login = modules/login/secure/secure.php;

4. The login will then show "Secure Login" and it's using a RSA 1024 bit privatekey generated based on login credentials in javascript memory to authenticate with the server where the publickey is stored, no password between client and server, tunnel encrypted + ajax transfer.