View Issue Details

IDProjectCategoryView StatusLast Update
09567Feature requests[All Projects] Securitypublic2017-10-10 16:33
ReporterlebergerAssigned To 
Status newResolutionreopened 
Product Version 
Target VersionFixed in Version2.00+ 
Summary09567: no salt used for password hashing.
DescriptionApparently, no salts are used for passwords.
It is obviously a security issue.
Additional InformationHint to solve this problem.

When implementing this, you can either force the users to reset their password (so that you have ONLY salted passwords), or keep the old password "retro compatible" (thus salt is an empty string). However, if you prefer the second option, we should encourage admins to force the reset of all passwords.
TagsNo tags attached.




2015-03-21 11:27

developer   ~31874

hash('sha256', $password)


2015-03-21 11:29

developer   ~31875

No salt rigth


2017-10-10 16:33

developer   ~44563

Maybe adding 2 salt and update it at each login. One current (empty at start for old user), one next. Compare password with crypted pasword ith current hash and save it with future hash after. Move futire to current and create a new one for future.
One CMS use this system (+ some javascript crypting function)

Issue History

Date Modified Username Field Change
2015-03-17 12:35 leberger New Issue
2015-03-21 11:27 DenisChenu Note Added: 31874
2015-03-21 11:27 DenisChenu Status new => closed
2015-03-21 11:27 DenisChenu Assigned To => DenisChenu
2015-03-21 11:27 DenisChenu Resolution open => no change required
2015-03-21 11:27 DenisChenu Fixed in Version => 2.00+
2015-03-21 11:29 DenisChenu Assigned To DenisChenu =>
2015-03-21 11:29 DenisChenu Note Added: 31875
2015-03-21 11:29 DenisChenu Status closed => feedback
2015-03-21 11:29 DenisChenu Resolution no change required => reopened
2015-03-21 11:29 DenisChenu Status feedback => new
2017-10-10 16:33 DenisChenu Note Added: 44563