News:

AbanteCart v1.4.2 is released.

Main Menu

Password hashing

Started by byeh, August 18, 2015, 01:10:57 AM

Previous topic - Next topic

byeh

I was looking at the password hashing and it uses md5.
Isn't that not that secure, wouldnt using bycrpyt be better?

abolabo

AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

eCommerce Core

MD5 is very secure to the purpose it serves. There is salt key that is used together with MD5.

There are some downsides in using bycrpyt.

Check this discussion:
http://security.stackexchange.com/questions/61385/the-brute-force-resistence-of-bcrypt-versus-md5-for-password-hashing

eCommerce Core

Quote from: abolabo on August 18, 2015, 06:57:52 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

Even if database is stolen, passwords will not be readable. MD5 is one way encryption.
There is no way passwords will be leaked in open form.

byeh

Thanks for answering, was always wondering about why md5 over bycrypt, wasn't able to find a clear answer before.

Nullified

#5
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

eCommerce Core

Quote from: Nullified on February 08, 2016, 07:07:26 AM
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

The line that you are posted is doing URL encrypting. No passwords or secure data used in URLs.

As for hashing+salting passwords, this was a suggested standard couple years back, we will review and consider improvement.

I am looking at the overview here: http://php.net/manual/en/faq.passwords.php

abantecart

As many other carts still use same approach and there is no direct security impact, we do not see this as extremely critical.
However, we will address this in upcoming v1.3 this year.

Please post here and share your suggestions, concerns, etc.



Forum Rules Code of conduct
AbanteCart.com 2010 -