New login hashing

[garvinhicking]

Hi!

I've just committed new login hashing functionality to SVN trunk that uses SHA1 salted hashes instead of plain md5.

I'd need help from anyone wanting to test it out. I'll prepare a blog.s9y.org blog-posting for tomorrow once the updated snapshots are up.

Feedback much appreciated.

http://svn.berlios.de/viewcvs/serendipi ... ision=2469

Regards,
Garvin

[Jensthebrain]

I would prefer a more random salt for SHA1. Furthermore you should use SSHA - a different salt for each user. This would make it even more secure.

Furthermore you could use serendipityHashType = 1 for SHA1 and if supported by the local PHP installation 2 for SHA256 (maybe using the hashtype as string would be better...).
hash_algos() is supported since 5.1.2 and the Hash Framework supports up to sha512.

[garvinhicking]

Hi!

I would prefer a more random salt for SHA1.

What do you mean?

Furthermore you should use SSHA - a different salt for each user. This would make it even more secure.

That's an interesting idea, should be easy to create a hash on per-user.

Furthermore you could use serendipityHashType = 1 for SHA1 and if supported by the local PHP installation 2 for SHA256 (maybe using the hashtype as string would be better...).
hash_algos() is supported since 5.1.2 and the Hash Framework supports up to sha512.

Also a good suggestion, do you know how this affects performance?

Regards,
Garvin