developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 11 years ago

Closed 10 years ago

Last modified 10 years ago

#826 closed enhancement (fixed)

It is always a good thing to put some salt in your hash

Reported by: dubphil Owned by:
Priority: high Milestone: Jelix 1.2 beta
Component: jelix:auth Version: trunk
Severity: normal Keywords:
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

That's a serious ticket indeed ;)

It would be more than necessary to enhance the security of the way jAuth records a user in a data base, by adding "salt". It means a string that could be define in the defaultconfig.ini.php added to the password before hashing it and recording it into the data base.

It would be also necessary to provides the possibility to choose the sha1 algorythm that is actually better than md5.

Change History (3)

comment:1 Changed 11 years ago by laurentj

  • Milestone set to Jelix 1.2

Yes, you are right.

We should provide a simple function (provided with the jauth plugin) which uses this salt, and then we could indicate this function in the configuration of jAuth. And this function could use jCrypt.

comment:2 Changed 10 years ago by laurentj

  • Documentation needed set
  • Resolution set to fixed
  • Status changed from new to closed

fixed. http://bitbucket.org/jelix/jelix-trunk/changeset/8bb00a40b86c/

we should provide a password_salt value in the config file of the auth plugin. To indicate a function which accepts a salt and a password, password_crypt_function must begin by "1:". a sha1WithSalt function is provided for that. Example:

password_crypt_function = "1:sha1WithSalt"
password_salt = "here_your_salt"

The default function is now sha1 (so without salt) instead of md5.

Note: See TracTickets for help on using tickets.