I know Elgg is planning to upgrade the password encryption in a release sometime in the near future, but I can't release my site with md5. My site focuses on security and using md5 is so insecure. I really do not want to release my site using md5, since it goes against my core cryptography beliefs. Upgrading the password code isn't hard-- making it compatible with older accounts is a bit challenging. I will be contributing all the code that I write to update the password and any code I use to the core. The core wants to use blowfish, since it works with every php install 5.3 and up. If anyone wants to work on fixing this issue with me, then I will post the code I have so far.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
We can make a plugin for 1.8, but we can't change the API in a bugfix release. Add support for phppass in the core will be in 1.9 or later.
Think in forward compatibility, plugins... Use a generic function like elgg_password_encryption('md5', 'sha512' ...)
I was thinking of rewriting the core and submitting it so it could be released before 1.9. A plugin is good too! Do you want to co-write that?
I would be very glad. My knownledges in encryptation are limited, but I can hack anything in Elgg. So.. if you know enought about password hashing, and I get a little documented, we can form a good team.
Can we meet in a chat to resolve our doubts before begin the plugin? Tomorrow I'll be in #lorea IRC chanel, freenode.net. Can we meet there?
@LOGIN`ACTION:
// before elgg's stuff
// try phppass first
$return=(\phppass_authenticate($username,$password));
if($return){ // ok & phppass re-hash already
return true
}else{
$return=elgg_authenticate($username,$password)
if($return){ // ok - now re-hash using phppass
//re-hash & save
$rehash=phppass_rehash($username,$password))
}
return true
}
return false
function phppass_authenticate($username,$password)){
...
}
function phppass_rehash($username,$password)){
...
}
Sem: I will message you.
Please can anybody say what the current status on this issue is?
Thank you
- Previous
- 1
- 2
- Next
You must log in to post replies.