Changing ELGG default password encryption from md5 -- reverse compatibility issues

I know Elgg is planning to upgrade the password encryption in a release sometime in the near future, but I can't release my site with md5. My site focuses on security and using md5 is  so insecure. I really do not want to release my site using md5, since it goes against my core cryptography beliefs. Upgrading the password code isn't hard-- making it compatible with older accounts is a bit challenging. I will be contributing all the code that I write to update the password and any code I use to the core. The core wants to use blowfish, since it works with every php install 5.3 and up. If anyone wants to work on fixing this issue with me, then I will post the code I have so far.

  • I disagree that we should wait till 1.9.

    We can make a plugin for 1.8, but we can't change the API in a bugfix release. Add support for phppass in the core will be in 1.9 or later.

    elgg_new_password_encryption()

    Think in forward compatibility, plugins... Use a generic function like elgg_password_encryption('md5', 'sha512' ...)

  • I was thinking of rewriting the core and submitting it so it could be released before 1.9. A plugin is good too! Do you want to co-write that?

  • I would be very glad. My knownledges in encryptation are limited, but I can hack anything in Elgg. So.. if you know enought about password hashing, and I get a little documented, we can form a good team.

    Can we meet in a chat to resolve our doubts before begin the plugin? Tomorrow I'll be in #lorea IRC chanel, freenode.net. Can we meet there?

  • @LOGIN`ACTION:
                                     // before elgg's stuff
        // try phppass first
        $return=(\phppass_authenticate($username,$password));
        if($return){              // ok & phppass re-hash already
            return true
        }else{
            $return=elgg_authenticate($username,$password)
            if($return){          // ok - now re-hash using phppass
                //re-hash & save
                $rehash=phppass_rehash($username,$password))
            }
                return true
        }
        return false
        function phppass_authenticate($username,$password)){
            ...
        }
        function phppass_rehash($username,$password)){
            ...
        }

  • Please can anybody say what the current status on this issue is?
    Thank you

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.