MichaelHallam
commented
8 years ago Let me know if I have to do anything regarding this Tom. https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail This email has been sent from a virus-free computer protected by Avast. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On 30 December 2015 at 21:55, Tom Bloor notifications@github.com wrote:
Currently password hashing uses 'salted' md5 hashes. This needs to be upgraded to use Blowfish encryption.
The server has been tested for compatibility with Blowfish Crypt, however the php version does not have password_hash so will need that to be implemented as a function for the crypt function, with random salts.
This will also affect the mobile application, so will have to be done at the same time - and preferably before actually allowing users onto the application.
This will not take a massive amount of time, but will obviously need testing.
— Reply to this email directly or view it on GitHub https://github.com/Pear-Trading/Registration/issues/17.
TBSliver
Currently password hashing uses 'salted' md5 hashes. This needs to be upgraded to use Blowfish encryption.
The server has been tested for compatibility with Blowfish Crypt, however the php version does not have password_hash so will need that to be implemented as a function for the crypt function, with random salts.
This will also affect the mobile application, so will have to be done at the same time - and preferably before actually allowing users onto the application.
This will not take a massive amount of time, but will obviously need testing.