Change Hashing of Password

halalaninitiative / halalan

Free and open-source voting system

Other

7 stars 13 forks source link

Change Hashing of Password #53

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Currently, hashing of password is done using the sha1 function of PHP with
the password as the parameter.  This can be improved by adding a dynamic
and a static salt to the password before hashing it.

Original issue reported on code.google.com by waldemar...@gmail.com on 2 Jul 2008 at 6:56

GoogleCodeExporter commented 9 years ago

How about using phpass (http://www.openwall.com/phpass/), the one WordPress 
currently
uses?

Original comment by djclue...@gmail.com on 2 Jul 2008 at 12:04

GoogleCodeExporter commented 9 years ago

I don't see any real advantage of using phpass over native PHP hashing 
functions with
regards to Halalan since elections usually last for only a day.  Halalan would
already be offline by the time a password is cracked.  However, it is worth 
looking
deeper into this issue so we can further enhance the security of the system.

Original comment by waldemar...@gmail.com on 2 Jul 2008 at 12:37

GoogleCodeExporter commented 9 years ago

I just saw this from the CodeIgniter blog:

$dynamic_salt = microtime();
$static_salt = 
'qGPBA8iCM3cUuCbBAQx3E0uOkKTrSeEUiSrAkykEk4sEniyP67Q2BTp8vtDqoqw'; //
Grabbed from file.
$password = 'password'; // Password from input form.

$hashed_password = sha1($dynamic_salt.$password.$static_salt); // Super Secure!

Maybe we can do something similar? :D

Original comment by djclue...@gmail.com on 4 Jul 2008 at 5:25

GoogleCodeExporter commented 9 years ago

Yes, we can do that.  We can use the $config['encryption_key'] in halalan.php 
as the
static salt.

Original comment by waldemar...@gmail.com on 4 Jul 2008 at 5:36

GoogleCodeExporter commented 9 years ago

Original comment by waldemar...@gmail.com on 17 Mar 2009 at 6:00

Added labels: Milestone-1.x.x

GoogleCodeExporter commented 9 years ago

Original comment by waldemar...@gmail.com on 16 Jun 2010 at 6:58

Added labels: Priority-High, Milestone-1.6.x
Removed labels: Priority-Medium, Milestone-1.x.x

GoogleCodeExporter commented 9 years ago

Original comment by waldemar...@gmail.com on 7 Feb 2011 at 8:48

Removed labels: Milestone-1.6.x

GoogleCodeExporter commented 9 years ago

Original comment by waldemar...@gmail.com on 10 Apr 2011 at 6:34

Changed state: Started
Added labels: Milestone-2.x.x

GoogleCodeExporter commented 9 years ago

This is already done in admin of 2.x.x.  Voters will follow.

Original comment by waldemar...@gmail.com on 11 Oct 2011 at 12:20

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Original comment by daru...@gmail.com on 16 Oct 2011 at 1:43

waldemarbautista commented 9 years ago

For review.

waldemarbautista commented 9 years ago

Now using http://php.net/password_hash.