in rc3 i've big problem witch auth component ;<
On 12 Paź, 19:00, "Bernhard J. M. Grün"
<[EMAIL PROTECTED]> wrote:
> Hi!
>
> Thanks for your response.
> I already know that Security::hash() is used to generate the hash. But the
> problem is that the hash is insecure (for passwords) in my eyes. The reason
> is that two passwords encrypt to the same hash (given the secret salt is the
> same which is the case).
>
> -- Bernhard J. M. Grün
>
> 2008/10/12 [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>
>
>
> >http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d...
>
> > On Oct 11, 5:24 am, "Bernhard J. M. Grün"
> > <[EMAIL PROTECTED]> wrote:
> > > Hi!
>
> > > Is it correct that the passwords created with the help of the
> > AuthComponent
> > > are not public hashed (i.e. only secret hashed)? At least in my test app
> > it
> > > seems to be like that.
> > > If so this is a major security hole.
> > > Example:
> > > User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
> > > User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
> > > Now hacker Charlie becomes access to the database. He sees that both
> > > passwords are identical. So it is much easier for him to break in. If
> > user
> > > Alice for example uses her password for other websites and hacker Charlie
> > > gets that password also user Bob's account is lost.
> > > IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt
> > > for their passwords. Maybe CakePHP should do the same.
> > > So the correct way for passwords is:
> > > crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is
> > > concatenated at front of the crypted password.
>
> > > -- Bernhard J. M. Grün
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
