BenHur Posted October 18, 2016 Posted October 18, 2016 Hello, With the 4.x version, password are stored in database but also the salt is stored. Why stored the hash ? (Extract from : http://php.net/manual/en/function.password-hash.php The used algorithm, cost and salt are returned as part of the hash) Also, is the cost generate depending the server ? or by default, is it set to 13 ? Thanks, Benjamin
Mark Posted October 19, 2016 Posted October 19, 2016 We actually use crypt() rather than password_hash() as only recently started requiring a PHP version which includes that function (although the algorithm being used is the same) which necessitates the salt being stored separately. Now that our minimum PHP requirements have increased, I imagine we will switch over in a future version. The cost is set to 13.
BenHur Posted October 19, 2016 Author Posted October 19, 2016 Thanks for these elements. Even if it's not the priority, it should be on your todo list yep
PK E 12 Posted October 20, 2016 Posted October 20, 2016 @Mark is there a topic that discusses the new way that you guys store passwords on ipb 4? So i can copy and paste that information into a topic to tell my members that they are more safe from having their passwords uncracked if it ever happened to my board.
Mark Posted October 20, 2016 Posted October 20, 2016 Not as such. We use Blowfish hashing which is a standard technique. It is salted (so rainbow tables cannot be used) and deliberately slow (to limit the effectiveness of bruteforcing).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.