Hi! Thanks for your response. I already know that Security::hash() is used to generate the hash. But the problem is that the hash is insecure (for passwords) in my eyes. The reason is that two passwords encrypt to the same hash (given the secret salt is the same which is the case).
-- Bernhard J. M. Grün 2008/10/12 [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > > http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d9334b9cc2614 > > On Oct 11, 5:24 am, "Bernhard J. M. Grün" > <[EMAIL PROTECTED]> wrote: > > Hi! > > > > Is it correct that the passwords created with the help of the > AuthComponent > > are not public hashed (i.e. only secret hashed)? At least in my test app > it > > seems to be like that. > > If so this is a major security hole. > > Example: > > User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f > > User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f > > Now hacker Charlie becomes access to the database. He sees that both > > passwords are identical. So it is much easier for him to break in. If > user > > Alice for example uses her password for other websites and hacker Charlie > > gets that password also user Bob's account is lost. > > IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt > > for their passwords. Maybe CakePHP should do the same. > > So the correct way for passwords is: > > crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is > > concatenated at front of the crypted password. > > > > -- Bernhard J. M. Grün > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
