Remove support for deprecated user password hashes

contao / core

Contao 3 → see contao/contao for Contao 4

GNU Lesser General Public License v3.0

491 stars 213 forks source link

Remove support for deprecated user password hashes #8889

Closed ausi closed 6 years ago

ausi commented 6 years ago

We should remove support for sha1 passwords in https://github.com/contao/core/blob/4539b50fd849dda41c58cdf0da2230dffd909c94/system/modules/core/library/Contao/User.php#L383-L388

If someone gets read access to the database, they could brute-force the password of a backend user that has still a sha1 password hash. With the password they could then overtake the server.

Removing support shouldn’t be a problem as it only affects users that didn’t log in for a very long time.

leofeyer commented 6 years ago

I have created a PR for Contao 4.6 here: contao/core-bundle#1602

leofeyer commented 6 years ago

Fixed in d11a21b15b71aa098a04023a2d987793e77a7768.