News:

AbanteCart v1.4.2 is released.

Main Menu

Password hashing

Started by byeh, August 18, 2015, 01:10:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

byeh

August 18, 2015, 01:10:57 AM
I was looking at the password hashing and it uses md5.
Isn't that not that secure, wouldnt using bycrpyt be better?

abolabo

#1
August 18, 2015, 06:57:52 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.
"No one is useless in this world who lightens the burdens of another."
― Charles Dickens

eCommerce Core

#2
August 18, 2015, 06:58:43 AM
MD5 is very secure to the purpose it serves. There is salt key that is used together with MD5.

There are some downsides in using bycrpyt.

Check this discussion:
http://security.stackexchange.com/questions/61385/the-brute-force-resistence-of-bcrypt-versus-md5-for-password-hashing
"If you're in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent."
― Warren Buffett

eCommerce Core

#3
August 18, 2015, 07:01:00 AM
Quote from: abolabo on August 18, 2015, 06:57:52 AM
AbanteCart use md5 for password with "salt". It prevents finding collisions of encrypted passwords by stolen database dump.

Even if database is stolen, passwords will not be readable. MD5 is one way encryption.
There is no way passwords will be leaked in open form.
"If you're in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent."
― Warren Buffett

byeh

#4
August 18, 2015, 10:28:34 AM
Thanks for answering, was always wondering about why md5 over bycrypt, wasn't able to find a clear answer before.

Nullified

#5
February 08, 2016, 07:07:26 AM Last Edit: February 08, 2016, 07:31:17 AM by Nullified
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

eCommerce Core

#6
February 08, 2016, 08:04:52 AM
Quote from: Nullified on February 08, 2016, 07:07:26 AM
This is the most moronic thing I have ever heard. You should be using bcrypt at the very least. Sort this mess out. Sites should not at all be using MD5 these days for hashing+salting passwords; it's obsolete and easily reversed. Your incompetence is putting your users and their customers in danger.

github.com/abantecart/abantecart-src/blob/b303515a1ab790adede7ef227339e3f28e4ee97a/public_html/core/lib/encryption.php#L97

The line that you are posted is doing URL encrypting. No passwords or secure data used in URLs.

As for hashing+salting passwords, this was a suggested standard couple years back, we will review and consider improvement.

I am looking at the overview here: http://php.net/manual/en/faq.passwords.php
"If you're in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent."
― Warren Buffett

abantecart

#7
February 09, 2016, 10:45:02 AM
As many other carts still use same approach and there is no direct security impact, we do not see this as extremely critical.
However, we will address this in upcoming v1.3 this year.

Please post here and share your suggestions, concerns, etc.


Please  rate your experience or leave your review
We need your help to build better free open source ecommerce platform for everyone. See how you can help
Print
Go Up Pages1
User actions

Forum Rules Code of conduct
AbanteCart.com 2010 -