http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d9334b9cc2614
On Oct 11, 5:24 am, "Bernhard J. M. Grün"
<[EMAIL PROTECTED]> wrote:
> Hi!
>
> Is it correct that the passwords created with the help of the AuthComponent
> are not public hashed (i.e. only secret hashed)? At least in my test app it
> seems to be like that.
> If so this is a major security hole.
> Example:
> User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
> User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
> Now hacker Charlie becomes access to the database. He sees that both
> passwords are identical. So it is much easier for him to break in. If user
> Alice for example uses her password for other websites and hacker Charlie
> gets that password also user Bob's account is lost.
> IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt
> for their passwords. Maybe CakePHP should do the same.
> So the correct way for passwords is:
> crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is
> concatenated at front of the crypted password.
>
> -- Bernhard J. M. Grün
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
