| Author |
Message |
rrclansite
Regular
Joined: Jan 18, 2011
Posts: 86
|
 Posted:
Wed Jan 09, 2013 5:03 pm |
|
Hi there!
Recently I've picked up php coding again, and getting more in depth about what I can and can't do. I decided it would be a good excercise to script my own blog for my traveling adventures to come. However, my goals might be a bit ambitious as of writing.
I was researching the concept of password hashing, some well written articles some not so much so. Only to stop to wonder how the password hashing is practised here @ RN. I'm really wondering myself how this team of developers tackled this issue, as I couldn't really find the password hashing function back in the mainfile.php but saw a reference of montego in the Your_Account module that a better salt should be used. In this same module I also came across md5, which supposedly aint safe for encrypting your passwords, because it can be cracked in no-time. Which made me conclude this function was merely used for temporary password generation for resetting.
Is there anybody willing to hint me in the right direction for the whereabouts of the hashing function? (if not publicly via PM maybe?)
Also, I was wondering if you guys have started thinking of perhaps going Blowfish on the encryption (if you didn't allready)
Best regards,
rrclansite / actnreactgaming |
| |
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Wed Jan 09, 2013 8:13 pm |
|
We currently use just md5 but are looking at alternatives.
md5 is fairly secure provided you have 8+ characters with a mix of upper/lower case, numbers and non-alphanumeric characters.
I think everyone has seen "rainbow tables" but what most people forget is that those require a brute force attack on the server and any reasonably well configured server will lock the IP out fairly quickly.
I know this topic has been discussed a few times over the last couple of years and it's always worth bring it to the forefront every now and again. |
| |
|
|
|
rrclansite
|
| Posted:
Thu Jan 10, 2013 6:40 am |
|
Well said, it is indeed worth it to discuss this over due time again. Still a few questions remain..
1. Why not go for a higher bit hashing function like sha256 or sha512?
2. Whats the holdback for going blowfish?
3. Would I be able to take a peek at the RN hashing function? Or is this protected information? |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Jan 10, 2013 7:06 am |
|
1) We agree with you. It needs to be looked at. We have a full plate right now for RN3.0, so not sure we'll address in that branch.
2) Resources. Small team all with lives to live. 
3) RN is PHP and GPL2, so there is nothing "protected" about it. Have at it.
I did run into an interesting article the other day in my Twitter feed that I marked for future reference purposes. You may find this interesting as well:
http://codahale.com/how-to-safely-store-a-password/
Regards,
montego |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
rrclansite
|
| Posted:
Thu Jan 10, 2013 7:13 am |
|
Thank you for your prompt reply Montego!
1. I hear ya, we all have busy lives in this current society me thinks 
2. see point 1 
3. Ok thank you, but I'm still unsure as to where I should find it. I couldn't locate it in the files I ran through, might have missed something.
I checked mainfile.php / config.php / rnconfig.php / admin.php / backend.php / backend_mshnl.php
So if the hashing function you guys set up is somewhere located in those files, I must've overlooked.
As soon as I know where to look I'll be off your guys' back for a while again =]
Kind regards,
rrclansite / actnreactgaming |
| |
|
|
|
|
Guardian2003
|
| Posted:
Sat Jan 12, 2013 1:08 pm |
|
Your_Account does most of the user registration etc type functions so the password hashing is done there for the most part.
If you were thinking of changing it though, a couple of things you'll need to watch out for;
The password is converted by mysql to md5 as the table field is md5, user authentication / cookie read/write routines will also need changing otherwise you will never get a match with what is in the DB. |
| |
|
|
|
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania
|
| Posted:
Sat Jan 12, 2013 3:25 pm |
|
Take a look at this http://www.openwall.com/phpass/ . There is a lot of excellent information there. This class is a strong candidate for our next release. |
_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. |
|
|
|
|
rrclansite
|
| Posted:
Sat Jan 12, 2013 4:31 pm |
|
I've seen people referring to phpass before, not exactely knowing what to do with it. If you guys are considering this for implementation for a future release I'll definitly look into it!
That being said, I should start delving deeper into the theory of password hashing and what a salt actually does to a password scramble, because this is not yet clear to me.
Furthermore, if you guys could use a hand in one way or another feel free to contact me. I'm learning in the programming language, but if you feel you could use a pair of fresh eyes on something I'm willing to take it up. Also I'm a native Dutch speaker, so if you need translations on language files jsut let me know!
Regards,
rrclansite |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
