sproctor
commented
8 years ago Do you have a reason that you think that is important? The reason I have them stored in a hash rather than plain text is so they aren't blatantly visible.
Closed ghost closed 7 years ago
sproctor
commented
8 years ago Do you have a reason that you think that is important? The reason I have them stored in a hash rather than plain text is so they aren't blatantly visible.
ghost
commented
8 years ago I fully understand this. The only concern I have is the ease of reverse-reading them with rainbow tables or running them through an md5 calculator.
sproctor
commented
8 years ago I suppose it is possible for someone to get read access to the DB and use that to get access. I'll put this on my todo list for the next major version.
ghost
commented
8 years ago Thanks! If I was to recommend an algorithm, try using the password_hash feature in PHP and select the bcrypt algorithm. As far as I know, it is the most secure one available. Thanks again!
ghost
commented
8 years ago (Sorry I closed the issue, hit the wrong button by accident)
sproctor
commented
7 years ago Sorry this has taken a while. I've been working on a big refactor. I have the main parts done. Hopefully in the next few weeks I'll be able to finish things up. This issue was addressed in commit e431906
Passwords appear to be stored in MD5 and only MD5. I recommend changing this out to something else (e.g. bcrypt). EngineYard has a good series on the newer pw security standards.