@Chris: you've got to backup such serious claims with more than that. Do you seriously think with all the highly skilled developers involved with the core of CakePHP that any of them would be happy with a password encryption process that could be crute force decrypted in 40secs?
Not many people, including myself, are fully clued up on security so seeing a post such as this claiming all CakePHP passwords are insecure (which is what you are saying) is not only wrong but damaging. For anyone reading this and questioning how safe passwords are when encrypted with SHA1 and a salt, please be reassured that they are secure. However, nothing is ever totally secure and you should always employ some validation to ensure user passwords are not weak. HTH, Paul @phpMagpie On Sep 13, 2:55 am, Greg Skerman <[email protected]> wrote: > Except that we're not simply hashing a password.... > we're hashing a password, that is nonced with the salt string... > > your 40 seconds also suggests pure alphanumeric passwords, all lowercase and > 6 characters long, which is an incredibly weak password. > > So yeah, assuming could generate every password of that length in 40 > seconds, and generate the hash for each of those passwords, its not going to > do you much good unless you jam each of those passwords into the form (and > at that point, no matter *how* you are storing the password will protect > you). > > If you have compromised the user table and have all of the hashed passwords, > your list of matches will not help because the stored passwords are nonced, > making your lookup completely worthless. > > cake's means of dealing with passwords is plenty secure... > > On Tue, Sep 13, 2011 at 11:21 AM, Chris Cinelli < > > > > > > > > [email protected]> wrote: > > Read the link I posted. 40 secs to bruteforce crack an hash > > On Sep 12, 2011 5:17 PM, "Ryan Schmidt" <[email protected]> > > wrote: > > > > On Sep 12, 2011, at 18:01, Chris Cinelli wrote: > > > >> Nowadays, normal hash functions like SHA1 are good for sessions and > > caching but not for storing passwords. Doing that is pretty much equivalent > > to having passwords in clear on the DB. > > > > Do you have documentation for this claim? > > > > -- > > > Our newest site for the community: CakePHP Video Tutorials > >http://tv.cakephp.org > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help > > others with their CakePHP related questions. > > > > To unsubscribe from this group, send email to > > > [email protected] For more options, visit this group > > athttp://groups.google.com/group/cake-php > > > -- > > Our newest site for the community: CakePHP Video Tutorials > >http://tv.cakephp.org > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help > > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > > [email protected] For more options, visit this group > > athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
