Page 1 of 1
New login hashing
Posted: Mon Feb 16, 2009 12:33 pm
by garvinhicking
Hi!
I've just committed new login hashing functionality to SVN trunk that uses SHA1 salted hashes instead of plain md5.
I'd need help from anyone wanting to test it out. I'll prepare a blog.s9y.org blog-posting for tomorrow once the updated snapshots are up.
Feedback much appreciated.
http://svn.berlios.de/viewcvs/serendipi ... ision=2469
Regards,
Garvin
Re: New login hashing
Posted: Wed Feb 18, 2009 7:52 pm
by Jensthebrain
I would prefer a more random salt for SHA1. Furthermore you should use SSHA - a different salt for each user. This would make it even more secure.
Furthermore you could use serendipityHashType = 1 for SHA1 and if supported by the local PHP installation 2 for SHA256 (maybe using the hashtype as string would be better...).
hash_algos() is supported since 5.1.2 and the Hash Framework supports up to sha512.
Re: New login hashing
Posted: Wed Feb 18, 2009 10:58 pm
by garvinhicking
Hi!
Jensthebrain wrote:I would prefer a more random salt for SHA1.
What do you mean?
Furthermore you should use SSHA - a different salt for each user. This would make it even more secure.
That's an interesting idea, should be easy to create a hash on per-user.
Furthermore you could use serendipityHashType = 1 for SHA1 and if supported by the local PHP installation 2 for SHA256 (maybe using the hashtype as string would be better...).
hash_algos() is supported since 5.1.2 and the Hash Framework supports up to sha512.
Also a good suggestion, do you know how this affects performance?
Regards,
Garvin