Hi.
Just for completeness and in case anyone from SilverStripe reads this,
there is a fix for this problem which maintains (reasonable) backward
compatibility with the current broken version, so that existing users
in most installations won't be affected.
if (last 100 bits of hashed password in the database are zero) {
use the old, broken authentication mechanism, but compare only the
first 10 chars of the hashed passwords
} else {
use a new/fixed authentication scheme which does not need to be
compatible with the old version and which uses all 160 bits of the
hashed password
}
-Craig
--~--~---------~--~----~------------~-------~--~----~
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
-~----------~----~----~----~------~----~------~--~---
