AbanteCart Community

Shopping Cart Operations => Security => Topic started by: byeh on August 18, 2015, 01:10:57 AM

Title: Password hashing
Post by: byeh on August 18, 2015, 01:10:57 AM
I was looking at the password hashing and it uses md5.
Isn't that not that secure, wouldnt using bycrpyt be better?
Title: Re: Password hashing
Post by: abolabo on August 18, 2015, 06:57:52 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.
Title: Re: Password hashing
Post by: eCommerce Core on August 18, 2015, 06:58:43 AM
MD5 is very secure to the purpose it serves. There is salt key that is used together with MD5.

There are some downsides in using bycrpyt.

Check this discussion:
http://security.stackexchange.com/questions/61385/the-brute-force-resistence-of-bcrypt-versus-md5-for-password-hashing
Title: Re: Password hashing
Post by: eCommerce Core on August 18, 2015, 07:01:00 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

Even if database is stolen, passwords will not be readable. MD5 is one way encryption.
There is no way passwords will be leaked in open form.
Title: Re: Password hashing
Post by: byeh on August 18, 2015, 10:28:34 AM
Thanks for answering, was always wondering about why md5 over bycrypt, wasn't able to find a clear answer before.
Title: Re: Password hashing
Post by: Nullified on February 08, 2016, 07:07:26 AM
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97
Title: Re: Password hashing
Post by: eCommerce Core on February 08, 2016, 08:04:52 AM
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

The line that you are posted is doing URL encrypting. No passwords or secure data used in URLs.

As for hashing+salting passwords, this was a suggested standard couple years back, we will review and consider improvement.

I am looking at the overview here: http://php.net/manual/en/faq.passwords.php
Title: Re: Password hashing
Post by: abantecart on February 09, 2016, 10:45:02 AM
As many other carts still use same approach and there is no direct security impact, we do not see this as extremely critical.
However, we will address this in upcoming v1.3 this year.

Please post here and share your suggestions, concerns, etc.