On Mon 19 Apr 2010 15:39 +0200, Linas wrote: > Loui Chang wrote: > > > Thank you for your suggestions. These are things that are best discussed > > on the aur-dev mailing list. > > > > Seems like you've put some thought into this. Why don't you submit a > > patch? > > > > Thanks for your support. Here goes an attempt. > I have mixed my suggestions with Denis idea of changing the hash algorithm > at the same time plus a few bits I found on the way. > > Actions performed by this patch: > salt to be NULL, in which case it is treated as md5 hashed password. > *All entries can be automatically updated by a -to be written- script. > *Removes add salt on login code, per above. > *Salted passwords now use sha512 instead of md5. > *Adds requirement on hash extension (usually bundled as static). > *try_login() only performs one query to verify user login instead of 5. > *generate_salt now uses mt_rand() > *Reject passwords given by GET.
Sorry for the late response. Ideally each of these actions should be a separate patch. That would enable changes that are straightforward to be applied quickly, while the other changes might still need review. The -to be written- script also needs to be included for the change to be complete. Cheers.
