Plain password in account

[neo22s]

Do not store the password in plain at least md5.

Also change the flow to restore the password.

[neo22s]

yep, just better to send a email with a link to change your password, I didn't developed the account part, I need to check how it works.

[jmdoren]

md5 is not secure, there is a lot of md5 databases I allways use something like sha1( md5( $user_nick ) . 'My own secret string' . md5( $password ) )

2012/11/28 Chema notifications@github.com

Do not store the password in plain at least md5.

Also change the flow to restore the password.

— Reply to this email directly or view it on GitHubhttps://github.com/neo22s/OpenClassifieds/issues/19.

Juan Manuel Doren Santiago, Chile

[neo22s]

Normally I use sha1 + salt.

The problem is to generate that salt...maybe we can modify the installation and generate the salt in the config.php?

In Kohana we do it like here https://github.com/neo22s/openclassifieds2/blob/master/oc/classes/auth/oc.php

This is pro...like it should be but soon we are in 2.0. few months...

[jmdoren]

probably you don't need the public function password($user) the more secure mode to check it is queryng like this:

SELECT user_id FROM user WHERE mail='pepito@example.com" AND PASSWORD='encrypted password' AND status = 'ACTIVE'

If there is no rows then the user doesn't exists or is inactive or the password is invalid, but a hacker wont know which one.

[emanwebdev]

the more secure mode to check it is querying like this:

SELECT user_id FROM user WHERE mail='pepito@goodsite.es" AND PASSWORD='encrypted password' AND status = 'ACTIVE'

can't confirm it's "the more secure" but right, let's use the tools as they're designed for.

[neo22s]

that's old Open Classifieds not the new version ;)

[emanwebdev]

geee :-1: sooooorry :walking:

woke up a good old friend btw :beers: