Closed ghost closed 7 years ago
Do you have a reason that you think that is important? The reason I have them stored in a hash rather than plain text is so they aren't blatantly visible.
I fully understand this. The only concern I have is the ease of reverse-reading them with rainbow tables or running them through an md5 calculator.
I suppose it is possible for someone to get read access to the DB and use that to get access. I'll put this on my todo list for the next major version.
Thanks! If I was to recommend an algorithm, try using the password_hash feature in PHP and select the bcrypt algorithm. As far as I know, it is the most secure one available. Thanks again!
(Sorry I closed the issue, hit the wrong button by accident)
Sorry this has taken a while. I've been working on a big refactor. I have the main parts done. Hopefully in the next few weeks I'll be able to finish things up. This issue was addressed in commit e431906
Passwords appear to be stored in MD5 and only MD5. I recommend changing this out to something else (e.g. bcrypt). EngineYard has a good series on the newer pw security standards.