ladecadanse icon indicating copy to clipboard operation
ladecadanse copied to clipboard

Published 20 hours ago • verified publisher icon agilare

Bcrypt for password storage

Open MarkJaroski opened this issue 6 years ago • 5 comments

It might make sense to shift to the standard password hashing library bcrypt instead of using a custom salt. Cracking bcrypted passwords takes considerably more computing power than SHA1 does, which will slow down any attacker that gets control of the database.

That said, using an upstream IDP might be even better.

MarkJaroski avatar Dec 02 '19 10:12 MarkJaroski

It's done in the next major version, with guidance of users to update their password. We could already to that in this version; changing the method of crypt is simple but we'll have also to add a page for users asking them to update their password, and this new password will be saved using bcrypt.

agilare avatar Dec 08 '19 20:12 agilare

Brilliant!

MarkJaroski avatar Dec 10 '19 10:12 MarkJaroski

I guess we can close this then, but unfortunately the next major version link isn't working for me.

MarkJaroski avatar Dec 10 '19 13:12 MarkJaroski

But finishing the next version will take time... so if someone can meanwhile improve security of current version exposed... The repo of the next version is private, I can add you if you're intersted to contribute to it.

agilare avatar Jan 03 '20 18:01 agilare

Yes, please.

MarkJaroski avatar Jan 08 '20 16:01 MarkJaroski