Closed RoiEXLab closed 7 years ago
EDIT: #828 implements a unused SHA512 class...
A possibility for migration:
Then eventually we should stop seeing MD5s in the system.
The question is, should we use Salt or double hashing for the passwords? Or Both?
Or as mentioned in #828 we could use some hashing Algorithms especially made for passwords like bcrypt for a bonus security - would require a new library though
sha512 is an upgrade as is, bcrypt seems like gravy. Go for it if you want.
But, we need to be sure we can integrate this well. For example, the tripleawarclub DB might potentially be shared with the one used by lobby. Perhaps not, but IIRC there is some sharing there.
AFAIK the MD5 class is not only used for Passwords... My suggestion would be to replace the password hashing with bcrypt and all the other "no-need-for-absolute-secureness" stuff with SHA512 since it's faster than MD5 (especcially when users want to join the lobby with MAC adresses and stuff) Therefore added a dependecy to #828 and set the MD5Crypt class as Deprecated
When tripleA will be using the bcrypt preffered to MD5, I will probably remove the @Deprecated
annontation or add a @SuppressWarnings("deprecation")
for the fallback code...
See https://github.com/triplea-game/triplea/issues/1041 for further follow-up.
I noticed, that TripleA is still using MD5 checksums. According to this Stackoverflow question it shouldn't be too diffifcult to use SHA256 instead... The difficulty would be to change the servers passwords of course... But for new Users? Thoughts?