CMS Made Simple Forums
https://forum.cmsmadesimple.org/

[closed] Per-backend-user password salting
https://forum.cmsmadesimple.org/viewtopic.php?f=75&t=56863
Page 1 of 1

Author:  tomphantoo [ Tue Sep 20, 2011 8:35 am ]
Post subject:  [closed] Per-backend-user password salting

It's good that password salting is coming for backend users.

I have 1.10-beta1, and there at least, the process uses the same salt (or none) for everyone. AFAIK, it's more secure to use per-person salting, even when someone malicious can access the tabled password data, hence the individual salts. Can't run all the users against a single dictionary (or whatever).

I've modded mine to append a random 8-byte salt to each user's 32-byte md5 hash. The space is already there in the database field. Takes only about a dozen extra lines of code total, for password creation and validation (the latter handling hash-only or hash+salt, according to what's stored).

Worth doing generally?

Author:  Rolf [ Fri Sep 23, 2011 4:19 pm ]
Post subject:  Re: Per-backend-user password salting

Hi tomphantoo

Thanks for helping us out testing ;)
tomphantoo \tomphantoo:
Worth doing generally?
Not at this moment...

Grtz. Rolf

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/