It's good that password salting is coming for backend users.
I have 1.10-beta1, and there at least, the process uses the same salt (or none) for everyone. AFAIK, it's more secure to use per-person salting, even when someone malicious can access the tabled password data, hence the individual salts. Can't run all the users against a single dictionary (or whatever).
I've modded mine to append a random 8-byte salt to each user's 32-byte md5 hash. The space is already there in the database field. Takes only about a dozen extra lines of code total, for password creation and validation (the latter handling hash-only or hash+salt, according to what's stored).
Worth doing generally?
[closed] Per-backend-user password salting
-
- Forum Members
- Posts: 15
- Joined: Mon Apr 11, 2011 7:33 am
Re: Per-backend-user password salting
Hi tomphantoo
Thanks for helping us out testing
Grtz. Rolf
Thanks for helping us out testing
Not at this moment...tomphantoo wrote:Worth doing generally?
Grtz. Rolf
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -