developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.
#826 closed enhancement (fixed)
It is always a good thing to put some salt in your hash
| Reported by: | dubphil | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | Jelix 1.2 beta |
| Component: | jelix:auth | Version: | trunk |
| Severity: | normal | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Documentation needed: | no | |
| Hosting Provider: | Php version: |
Description
That's a serious ticket indeed ;)
It would be more than necessary to enhance the security of the way jAuth records a user in a data base, by adding "salt". It means a string that could be define in the defaultconfig.ini.php added to the password before hashing it and recording it into the data base.
It would be also necessary to provides the possibility to choose the sha1 algorythm that is actually better than md5.
Change History (3)
comment:1 Changed 11 years ago by laurentj
- Milestone set to Jelix 1.2
comment:2 Changed 10 years ago by laurentj
- Documentation needed set
- Resolution set to fixed
- Status changed from new to closed
fixed. http://bitbucket.org/jelix/jelix-trunk/changeset/8bb00a40b86c/
we should provide a password_salt value in the config file of the auth plugin. To indicate a function which accepts a salt and a password, password_crypt_function must begin by "1:". a sha1WithSalt function is provided for that. Example:
password_crypt_function = "1:sha1WithSalt" password_salt = "here_your_salt"
The default function is now sha1 (so without salt) instead of md5.
comment:3 Changed 10 years ago by foxmask
- Documentation needed unset
Yes, you are right.
We should provide a simple function (provided with the jauth plugin) which uses this salt, and then we could indicate this function in the configuration of jAuth. And this function could use jCrypt.