boutell
commented
9 years ago I see you're the author of credential. Thanks for the pointer, it was on my to-do list to migrate to bcrypt but credential seems to be impeccably researched. I'm going to talk this over with the Apostrophe team and make sure it's done in the unstable branch and backported to the 0.5.x series.
As a transitional strategy I'd envision upgrading the sha1 passwords upon login. A tool to notify users who still need to do that is then very easy to write.
On Sat, Feb 7, 2015 at 2:58 AM, Eric Elliott notifications@github.com wrote:
The password hashing library used here is very insecure, and would likely fall very quickly to brute force attacks. It defaults to a single iteration, and uses and outdated sha1-hmac hashing algorithm. It should be using one of PBKDF2, scrypt, or bcrypt, instead. See Credential https://github.com/ericelliott/credential, for example.
https://github.com/punkave/apostrophe/blob/master/lib/password.js#L1
— Reply to this email directly or view it on GitHub https://github.com/punkave/apostrophe/issues/191.
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
ericelliott
The password hashing library used here is very insecure, and would likely fall very quickly to brute force attacks. It defaults to a single iteration, and uses and outdated sha1-hmac hashing algorithm. It should be using one of PBKDF2, scrypt, or bcrypt, instead. See Credential, for example.
https://github.com/punkave/apostrophe/blob/master/lib/password.js#L1