Please help us to make AbanteCart Ideal Open Source Ecommerce Solution for everyone.

Support AbanteCart eCommerce

Author Topic: Password hashing  (Read 13333 times)

Offline byeh

  • Newbie
  • *
  • Posts: 2
  • Karma: +1/-0
    • View Profile
Password hashing
« on: August 18, 2015, 01:10:57 AM »
I was looking at the password hashing and it uses md5.
Isn't that not that secure, wouldnt using bycrpyt be better?

Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 2046
  • Karma: +318/-13
  • web for all, all for web!
    • View Profile
    • AbanteCart
Re: Password hashing
« Reply #1 on: August 18, 2015, 06:57:52 AM »
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.
“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1602
  • Karma: +93/-1
    • View Profile
Re: Password hashing
« Reply #2 on: August 18, 2015, 06:58:43 AM »
MD5 is very secure to the purpose it serves. There is salt key that is used together with MD5.

There are some downsides in using bycrpyt.

Check this discussion:
http://security.stackexchange.com/questions/61385/the-brute-force-resistence-of-bcrypt-versus-md5-for-password-hashing
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1602
  • Karma: +93/-1
    • View Profile
Re: Password hashing
« Reply #3 on: August 18, 2015, 07:01:00 AM »
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

Even if database is stolen, passwords will not be readable. MD5 is one way encryption.
There is no way passwords will be leaked in open form.
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline byeh

  • Newbie
  • *
  • Posts: 2
  • Karma: +1/-0
    • View Profile
Re: Password hashing
« Reply #4 on: August 18, 2015, 10:28:34 AM »
Thanks for answering, was always wondering about why md5 over bycrypt, wasn't able to find a clear answer before.

Offline Nullified

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Password hashing
« Reply #5 on: February 08, 2016, 07:07:26 AM »
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97
« Last Edit: February 08, 2016, 07:31:17 AM by Nullified »

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1602
  • Karma: +93/-1
    • View Profile
Re: Password hashing
« Reply #6 on: February 08, 2016, 08:04:52 AM »
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

The line that you are posted is doing URL encrypting. No passwords or secure data used in URLs.

As for hashing+salting passwords, this was a suggested standard couple years back, we will review and consider improvement.

I am looking at the overview here: http://php.net/manual/en/faq.passwords.php
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 4358
  • Karma: +298/-10
    • View Profile
    • Ideal Open Source Ecommerce Solution
Re: Password hashing
« Reply #7 on: February 09, 2016, 10:45:02 AM »
As many other carts still use same approach and there is no direct security impact, we do not see this as extremely critical.
However, we will address this in upcoming v1.3 this year.

Please post here and share your suggestions, concerns, etc.


Please  rate your experience or leave your review
We need your help to build better free open source ecommerce platform for everyone. See how you can help

 

Powered by SMFPacks Social Login Mod