Marcher Technologies Posted December 31, 2013 Share Posted December 31, 2013 public function login($identifier, $identifierValue, $md5Password, $key, $redirect, $redirectHash) { We really need to have the ability to retrieve the plaintext password to be able to verify the password is correct. In a platform using SHA-x or blowfish hashing algorithms, the md5'd password is useless. Fully understanding the implications(both of the password being retrievable in the first place, and that all existing masters/slaves would need updated as well), I still would recommend switching this to something like base64_encode/decode, that allows programmatic retrieval, otherwise a master on any platform using anything *not* md5 for password hashing will never exist. Thank you for reading, and I hope this can be addressed for 4. Link to comment Share on other sites More sharing options...
bfarber Posted January 2, 2014 Share Posted January 2, 2014 Can you outline the use case? The way this works in 4.0 is different (we've actually moved away from MD5 in 4.0 ourselves), but I want to be sure your use case is covered. I can say that Connect supports a separate fetchSalt method now to retrieve the salt separately, and then you are expected to hash the password and send it through encoded. I am extremely leery of allowing the plain text password to be available over the air due to the risk of it being captured (think MITM attacks). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.