Hi!
Is it correct that the passwords created with the help of the AuthComponent
are not public hashed (i.e. only secret hashed)? At least in my test app it
seems to be like that.
If so this is a major security hole.
Example:
User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
Now hacker Charlie becomes access to the database. He sees that both
passwords are identical. So it is much easier for him to break in. If user
Alice for example uses her password for other websites and hacker Charlie
gets that password also user Bob's account is lost.
IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt
for their passwords. Maybe CakePHP should do the same.
So the correct way for passwords is:
crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is
concatenated at front of the crypted password.
-- Bernhard J. M. Grün
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
