cgb37
commented
3 years ago Hello Galen! Thanks so much for your help. We really appreciate it. In regards to the php version, we are currently scheduled to release a new version with php 7.4 on feb 15.
Closed gmcharlt closed 3 years ago
cgb37
commented
3 years ago Hello Galen! Thanks so much for your help. We really appreciate it. In regards to the php version, we are currently scheduled to release a new version with php 7.4 on feb 15.
gmcharlt
commented
3 years ago Great, if PHP5 (or at least < 5.5) support is about to not be factor, that would simplify things. I can work on a branch.
Currently, staff passwords are hashed using unsalted MD5, which is insecure. Updating it to salted bcrypt would guard against dictionary attacks if the contents of the staff table got compromised.
This would be doable by switching to PHP's password_hash() builtin. Double-hashing (e.g.,), using password_hash(md5($plainTextPassword)) would make upgrades straightforward, although there are some dependency issues: