View Issue Details

IDProjectCategoryView StatusLast Update
0022839mantisbtauthenticationpublic2023-10-31 16:36
Reporterdregad Assigned Todregad  
Status assignedResolutionopen 
Target Version2.27.0 
Summary0022839: Deprecate MD5 login method and replace with BCRYPT hash

For many years, Mantis has been using MD5 as the default and "best" hashing algorithm to store users passwords in the database.

Since 2.x requires PHP 5.5.9, we can now use the password_hash() function, which relies on the modern and safe BCRYPT hashing algorithm for better security.

Additional Information

This basically makes several old issues in the tracker that aimed at replacing MD5 by SHA1/SHA256 obsolete, including 0010172, 0011250 and possibly others as well.

TagsNo tags attached.


related to 0010172 closeddregad Passwords in SHA256 using a static salt 
related to 0011250 closeddregad Allow SHA1 passwords 
has duplicate 0026085 closeddregad Support stronger authentication w/ schema changes 
related to 0012957 assigneddregad Password stored md5-unsalted in database when LDAP authentication is enabled 




2017-05-06 17:34

developer   ~0056785




2018-12-12 10:56

reporter   ~0061073

We appreciate your efforts on this project, and understand that you haven't been able to integrate this patch into the project yet. We would like to know if there is something that we can do to encourage you to find time to fix this serious issue. How do you feel about a significant bounty here: ?

We are willing to contribute $500 USD for a released fix by the end of 1Q 2019. We would also encourage others to contribute as well. If some other mechanism works better for you, please let us know.



2019-03-18 16:20

reporter   ~0061695

I'd love to see this fixed too. Could contribute at least $100 USD also.



2019-06-17 19:00

reporter   ~0062264

Seems this bug got some press today: