Closed ypid closed 8 years ago
IMO we shouldnt "switch" to bcrypt, but extend ep_hash_auth to be abble to use bcrypt. I can't merge this at the moment as the SHA2 crypt is removed, and that would break many installations on the updates.
I suggest to allow bcrypt as hash_typ parameter, or eventually implement a hash_lib settings.json argument if that is easier, ...
@ypid do you want to fix that? I'm kind of busy these days ... .) ... if not, I will fix that at a later time.
Sound good. I recommend to switch to bcrypt by default (security be default). Can you test this?
I my test setting I currently get Failed to load 'ep_hash_auth/index:authenticate' for 'ep_hash_auth/ep_hash_auth/hooks/authenticate': Error: Cannot find module 'ep_etherpad-lite/node/utils/Settings'
no idea why.
Tested and integrated after a rewrite.
SHA2 with one round for storing passwords is anything but secure these days. Bcrypt seems to be the better option.
Related: https://github.com/debops/ansible-etherpad/issues/14
@LaKing Thanks for putting up the git repo for it :+1: