Closed kristjanjansen closed 8 years ago
kristjanjansen
commented
8 years ago @mikkpokk idea:
Password generation for new users:
sha1(salt + md5(password))Password generation for old users:
sha1(salt + password)See also http://laravel.io/forum/03-18-2014-password-salt-just-wondering
kristjanjansen
commented
8 years ago Another idea:
Üheks tüüpilisemaks lahenduseks on teha uus hash järgmisel sisselogimisel. tühistad kasutaja sessiooni ära ja kui proovib sisse logida, siis kõigepealt kontrollid kas parool vastab vanale räsile. seejärel koostad sellestsamast tol hetkel veel teada olevast õigest paroolist uue räsi ja kirjutad baasis vana üle
kristjanjansen
commented
8 years ago https://www.reddit.com/r/PHP/comments/3lwxlw/hash_and_verify_passwords_in_php_the_right_way/cva6y6p
Basically Mikk's idea without salt (its already in default bcrypt() )
kristjanjansen
commented
8 years ago Closed in favour of #687
In order to allow legacy Drupal users to log in with their usernames and passwords we introduced
md5()as a new hasher service. See also https://github.com/tripikad/trip2/issues/3This is not considered secure and Laravel's original
bcrypt()is considered way more secure hasher.We need to choose:
Option A: md5() AND bcrypt() -- decided
https://www.reddit.com/r/PHP/comments/3lwxlw/hash_and_verify_passwords_in_php_the_right_way/cva6y6p
Option B: Keep insecure md5()
Option C: Secure bcrypt()