Change Password Encryption

[tschwaab1]

• [ ] Search new Password encryption method (now it's md5)
• [ ] implement at login.php
• [ ] implement at register.php
• [ ] change db if needed

Reason: https://webmasters.stackexchange.com/questions/28384/is-the-php-method-md5-secure-can-it-be-used-for-passwords

using MD5() for hashing passwords is not secure. Hackers have created rainbow tables which are MD5 hashes of all passwords up to 12 characters in length. So instead of having to try to "crack" a hash they only need to do a quick SQL query and it's broken. [ ... ]

[Laurammf]

MD5 is not reccomended because of brute-force attacks, because the response is too quick and hence it saves time for the hacker, it gives him more time to make more brute-force trials. Under the assumption that the other groups will not try to hach our app with brute-force style, because it takes time and domain knowledge, which they dont have, MD5 should not be a problem.

still, here some other a bit extra-complicated options: https://github.com/themattharris/PHP-Blowfish/blob/master/blowfish.php https://www.php.net/manual/en/function.password-hash.php https://www.w3schools.com/php/func_string_crypt.asp