Open christian-heusel opened 5 years ago
At the moment, all the passwords are stored as a hexdump of the sha1sum of the originally inserted password.
sha1sum
According to this, this is a common bad practice, because once a hacker gains access to the database it is way more easy to crack the gained hashes.
An example method is defined in https://github.com/muesli-hd/muesli/blob/146e8e9d9f25422239f78fb5ea490e74670f0126/muesli/web/viewsUser.py#L44-L54 and should use the Python module bcrypt as an alternative.
bcrypt
Is it correct that this would imply not only refactoring the code, but also rewriting the password column in the database using some kind of migration script?
password
At the moment, all the passwords are stored as a hexdump of the
sha1sum
of the originally inserted password.According to this, this is a common bad practice, because once a hacker gains access to the database it is way more easy to crack the gained hashes.
An example method is defined in https://github.com/muesli-hd/muesli/blob/146e8e9d9f25422239f78fb5ea490e74670f0126/muesli/web/viewsUser.py#L44-L54 and should use the Python module
bcrypt
as an alternative.