News:

AbanteCart v1.4.2 is released.

Main Menu

Password hashing

Started by byeh, August 18, 2015, 01:10:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

byeh

August 18, 2015, 01:10:57 AM
I was looking at the password hashing and it uses md5.
Isn't that not that secure, wouldnt using bycrpyt be better?

abolabo

#1
August 18, 2015, 06:57:52 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

eCommerce Core

#2
August 18, 2015, 06:58:43 AM
MD5 is very secure to the purpose it serves. There is salt key that is used together with MD5.

There are some downsides in using bycrpyt.

Check this discussion:
http://security.stackexchange.com/questions/61385/the-brute-force-resistence-of-bcrypt-versus-md5-for-password-hashing

eCommerce Core

#3
August 18, 2015, 07:01:00 AM
Quote from: abolabo on August 18, 2015, 06:57:52 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

Even if database is stolen, passwords will not be readable. MD5 is one way encryption.
There is no way passwords will be leaked in open form.

byeh

#4
August 18, 2015, 10:28:34 AM
Thanks for answering, was always wondering about why md5 over bycrypt, wasn't able to find a clear answer before.

Nullified

#5
February 08, 2016, 07:07:26 AM Last Edit: February 08, 2016, 07:31:17 AM by Nullified
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

eCommerce Core

#6
February 08, 2016, 08:04:52 AM
Quote from: Nullified on February 08, 2016, 07:07:26 AM
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

The line that you are posted is doing URL encrypting. No passwords or secure data used in URLs.

As for hashing+salting passwords, this was a suggested standard couple years back, we will review and consider improvement.

I am looking at the overview here: http://php.net/manual/en/faq.passwords.php

abantecart

#7
February 09, 2016, 10:45:02 AM
As many other carts still use same approach and there is no direct security impact, we do not see this as extremely critical.
However, we will address this in upcoming v1.3 this year.

Please post here and share your suggestions, concerns, etc.


Print
Go Up Pages1
User actions

Forum Rules Code of conduct
AbanteCart.com 2010 -