Print Page - Password Hashing

Public area => The Pub => Features => Topic started by: ethankcvds on November 28th, 2011, 07:44 PM

Title: Password Hashing
Post by: ethankcvds on November 28th, 2011, 07:44 PM

Any plans of changing the way passwords are hashed? If so to which one?

(click to show/hide)

I had an other idea that I wanted post but I forgot.(Need to start writing things down.) :bah:

Title: Re: Password Hashing
Post by: Arantor on November 28th, 2011, 08:34 PM

None at this time. SHA1 of lowercase username and password should be enough for now, and the password upgraded accepts plenty more types...

If you're thinking to something else, what and why?

Title: Re: Password Hashing
Post by: ethankcvds on November 28th, 2011, 09:02 PM

Quote from Arantor on November 28th, 2011, 08:34 PM

None at this time. SHA1 of lowercase username and password should be enough for now, and the password upgraded accepts plenty more types...

If you're thinking to something else, what and why?

Ah okay. Something I had planned to use was either sha256 or sha512.

Title: Re: Password Hashing
Post by: Arantor on November 28th, 2011, 09:57 PM

For what reason, though? There are also side consequences, like performance and compatibility to contend with.

Title: Re: Password Hashing
Post by: ethankcvds on November 28th, 2011, 10:08 PM

Quote from Arantor on November 28th, 2011, 09:57 PM

For what reason, though? There are also side consequences, like performance and compatibility to contend with.

The only reason that I can think of is that at the age that sha-1 is how much longer is it before it becomes like md5 cryptographically un-secure.

Title: Re: Password Hashing
Post by: Arantor on November 28th, 2011, 10:16 PM

It's still prohibitive to build rainbow tables of per-user salted hashes, though.

Posted: November 28th, 2011, 10:12 PM

Also, don't forget that users don't usually care about security if it inhibits other things, such as performance.

Title: Re: Password Hashing
Post by: Arantor on November 29th, 2011, 04:10 PM

I should also note that if we made anything above SHA1 default, that's *even more* users who will have to go through password-upgrading on conversion, a factor that won't exactly endear convertees to Wedge, though it will be entirely accurate in that it will indeed upgrade security.

Title: Re: Password Hashing
Post by: ethankcvds on November 29th, 2011, 04:40 PM

Quote from Arantor on November 29th, 2011, 04:10 PM

I should also note that if we made anything above SHA1 default, that's *even more* users who will have to go through password-upgrading on conversion, a factor that won't exactly endear convertees to Wedge, though it will be entirely accurate in that it will indeed upgrade security.

Though I do have an other idea besides SHA256 and SHA512. During the install have it set so that the person can choose which hashing algorithm they want to use setting SHA1 as default and provide a note that states if converting from something like SMF 2.0 that they should use SHA1. Though if you still see fit not to change it at this point in time I can make the changes myself when wedge comes out.

Title: Re: Password Hashing
Post by: Arantor on November 29th, 2011, 06:19 PM

Bad idea. It will cause more support issues, more confusion among users and so on, and most people will leave it off if they're coming from SMF 2.

You do realise that there are much more significant things to be concerned with in terms of security than brute-forcing individually salted and hashed passwords, right?

(Long story short: you're asking us to implement something that virtually just you is interested in...)