[dokuwiki] multiple hash methods for passwords
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 13 May 2005 17:43:08 +0200
Hi all!
I just pushed a patch for introducing a little bit more security on the user
passwords. Currently passwords are stored as MD5 hashes, this is usually pretty
secure and can be attacked by bruteforce only in most cases. However there are
Databases of common-word-MD5sums available ([1],[2]) which make decrypting weak
passwords a matter of seconds. So this is a serious problem where the crypted
passes may be available easily (shared hosting).
The solution against this is adding a random salt so I added that. Well and
while I was at changing that anyway, I made the whole thing configurable. Now
the following methods can be used for storing the passwords:
* smd5 - Salted MD5 hashing
* md5 - Simple MD5 hashing
* sha1 - SHA1 hashing
* ssha - Salted SHA1 hashing
* crypt- The old unix crypt using a 2char salt
All methods can be used together, so you can continue to use the old md5
crypted password but can have new password added with any of the other methods.
in inc/auth.php are two new functions available:
auth_cryptPassword() for crypting a password and auth_verifyPassword() to
verify an uncrypted against a crypted one. Currently both of them are used in
auth_plain only.
Patches for using them in the other auth modules would be welcome.
Regards Andi
[1] http://md5.crysm.net/
[2] http://md5.rednoize.com/
Other related posts:
