Open hizkifw opened 5 years ago
would you like to work on it and create a PR?
Hashing passwords is easy. You do sha512($password); and store the result in the DB and when someone logs in you do a sha256 to the password field of the login form before comparing it to the hash stored in the DB. That way the website doesn´t even know the real password only the hash.
Even better would be to split the password first then do sha512($part1.$randomsalt.$part2); The entire fix should take less than 5 minutes.
That is also why a forgotten password always requires you to reset your password. They don´t know what your password is so they can´t give retrieve it.
@excitedbox why don't you create a PR? :)
Describe the bug
Storing passwords in a reversible format (e.g. base64) is very insecure and against standard security practices. Passwords should be stored as a hash instead. For further details, please refer to this post: https://security.stackexchange.com/a/36838
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Passwords should be hashed.
Screenshots
N/A
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context