[closed] Per-backend-user password salting

The members of the Dev team will place issues here that they consider to be solved.
Post Reply
tomphantoo
Forum Members
Forum Members
Posts: 13
Joined: Mon Apr 11, 2011 7:33 am

[closed] Per-backend-user password salting

Post by tomphantoo »

It's good that password salting is coming for backend users.

I have 1.10-beta1, and there at least, the process uses the same salt (or none) for everyone. AFAIK, it's more secure to use per-person salting, even when someone malicious can access the tabled password data, hence the individual salts. Can't run all the users against a single dictionary (or whatever).

I've modded mine to append a random 8-byte salt to each user's 32-byte md5 hash. The space is already there in the database field. Takes only about a dozen extra lines of code total, for password creation and validation (the latter handling hash-only or hash+salt, according to what's stored).

Worth doing generally?
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7740
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands

Re: Per-backend-user password salting

Post by Rolf »

Hi tomphantoo

Thanks for helping us out testing ;)
tomphantoo wrote:Worth doing generally?
Not at this moment...

Grtz. Rolf
Image
- + - + - + - + - + -
Latest CMSMS tutorial: FormBuilder WatchGuard
- + - + - + - + - + -
Did my post help you solving a problem at your (customers) website and it saved you many hours of work?
Great!! Buy me a cup of coffee in return as a small token of appreciation!
Post Reply

Return to “Closed Issues”