Custom IPSConnect Master: $md5Password incompatible with modern password hashing algorithms

[Marcher Technologies]

	public function login($identifier, $identifierValue, $md5Password, $key, $redirect, $redirectHash) { 

We really need to have the ability to retrieve the plaintext password to be able to verify the password is correct. In a platform using SHA-x or blowfish hashing algorithms, the md5'd password is useless.

Fully understanding the implications(both of the password being retrievable in the first place, and that all existing masters/slaves would need updated as well), I still would recommend switching this to something like base64_encode/decode, that allows programmatic retrieval, otherwise a master on any platform using anything *not* md5 for password hashing will never exist.

Thank you for reading, and I hope this can be addressed for 4.

[bfarber]

Can you outline the use case? The way this works in 4.0 is different (we've actually moved away from MD5 in 4.0 ourselves), but I want to be sure your use case is covered.

I can say that Connect supports a separate fetchSalt method now to retrieve the salt separately, and then you are expected to hash the password and send it through encoded. I am extremely leery of allowing the plain text password to be available over the air due to the risk of it being captured (think MITM attacks).