Password hashing // lack of cryptographic hash functions
- Posted by CoJaBo2 Jul 18, 2012
- 1509 views
Just as an FYI, nobody should be using anything other than proven methods - such as salted SHA256 - to hash passwords. (MD5 is still the most commonly used today, but MD5 was been broken several years ago, and should no longer be used in new software)
prompt_password() #6, for example, demonstrates precisely what not to do- create a new algorithm without rigorous testing and knowledge of numerous pitfalls; at a quick glance, it looks like it will create some extremely poor hashes (no offense meant, but this demonstrates a very important point- most people wouldn't be able to recognize this as weak, and most - me included - wouldn't be able to come up with a stronger one either!). A custom algo really shouldn't be used for anything requiring even very modest security. Its just simpler to do it the right way, and use something already in wide use.
Or at least it should be- I can't help but notice that Eu's documentation doesn't have any cryptographic hashing functions at all (other than a brief note saying they aren't implemented). Since this one of the more common things needed to do (anything that wants to be password protected needs it), it really should be a priority. This shouldn't be hard to do either, there is plenty of code in C that could be integrated into the backend (or ported if need be). (I'd certainly lend help testing, etc, but I don't currently have time or familiarity with the backend to submit a patch to add this)
(Aside: The title of this page is "Fork Messsage")
