View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013273 | mantisbt | security | public | 2011-08-29 06:20 | 2011-09-25 09:40 |
Reporter | CarstenGrohmann | Assigned To | atrol | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Product Version | git trunk | ||||
Summary | 0013273: Store salted passwd only | ||||
Description | Store all password salted per default. Storing un-salted passwords isn't state of the art. Please use random salts and convert un-salted passwords automatically to salted passwords after successful login. At least the MD5 hashed passwords are affected. See core/authentication_api.php:auth_process_plain_password() | ||||
Tags | No tags attached. | ||||
Please add support for random salts and change the default configuration to use random salts automatically as well as to convert pw hashes without salts to salted password hashes after user login. Static salts are tricky because:
Further information about salted passwords and why salted passwords are such important: |
|
If you want to provide additional information you can add notes to the duplicate issue. Or is there any other reason to reopen the issue? |
|
I'm sorry, please close this bug a second time |
|