Use bcrypt with suitable work factor for passwords if it's available - Printable Version +- webERP Forum (http://www.weberp.org/forum) +-- Forum: webERP Discussion (http://www.weberp.org/forum/forumdisplay.php?fid=1) +--- Forum: Feature Requests (http://www.weberp.org/forum/forumdisplay.php?fid=5) +--- Thread: Use bcrypt with suitable work factor for passwords if it's available (/showthread.php?tid=244) |
Use bcrypt with suitable work factor for passwords if it's available - sdaugherty - 05-24-2012 It looks like the password hashing in webERP is a bit weaker than it could be. bcrypt is more resistant to brute force and features a configurable "work factor" that allows it to keep up with advances in computer hardware. CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", a two digit cost parameter, "$", and 22 digits from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause crypt() to fail. http://php.net/manual/en/function.crypt.php The crypt function already uses hash ID values to clearly identify which hash is being used, and it's a simple matter to fall back to a supported hash on systems old enough to lack CRYPT_BLOWFISH so this could be implemented in a backwards compatible manner. |