Booked Scheduler Community Support
December 16, 2018, 06:57:11 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Booked is proud to recommend Shift Capsule in the employee shift scheduling space www.ShiftCapsule.com
 
   Home   Help Login Register  
Pages: [1]
  Print  
Author Topic: Password Hashing  (Read 881 times)
dctt
Newbie
*

Karma: 0
Posts: 1


« on: August 02, 2018, 07:06:39 PM »

Hi all,

I've been looking through Booked's code on behalf of a client who's currently evaluating it. I've noticed that the current method of password storage effectively involves generating a random salt and taking the SHA1 hash of $password + $salt.

It's fairly well-known that SHA-1 isn't encouraged for password storage these days, so I'm a little concerned that it is still in use in Booked.

The general current recommendation is to use bcrypt. PHP, as of 5.5.0, actually has builtin functions to facilitate the hashing and verification of passwords (see password_hash and password_verify in the standard library). For older versions, there exists a shim that provides the same functions (https://github.com/ircmaxell/password_compat). As these functions do a lot of the hard work of implementing secure password storage, there is less room for mistakes to be made in implementation.

To that end, I propose modifying the current password hashing mechanism to use more secure algorithms, hopefully using the new password_ functions.

Thank you

EDIT: I'd be happy to handle the implementation myself, but the current requirement of PHP 5.3 would to have to raised to either 5.3.7 (if using password-compat) or 5.5.0 (if relying on the native functions).
« Last Edit: August 02, 2018, 07:19:22 PM by dctt » Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.20 | SMF © 2006-2007, Simple Machines Valid XHTML 1.0! Valid CSS!