It is such a problem in the PHP wild that there is even an RFC for PHP 5.5 to add a password hashing API to the core: https://wiki.php.net/rfc/password_hash
David Neilsen | 07 834 3366 | PANmedia ® On Mon, Aug 20, 2012 at 10:35 PM, Mike Birch <[email protected]> wrote: > It's worse than you think. It's only a single md5 (the code you quoted is > for generating activation keys). > Passwords are created for this plugin in the UserAuthComponent class: > > public function makePassword($pass) { > return md5($pass); > } > > The developer has deliberately ignored the CakePHP security class - see > the hash method: > http://api20.cakephp.org/class/security > http://api20.cakephp.org/view_source/security#line-86 > > > -- > NZ PHP Users Group: http://groups.google.com/group/nzphpug > To post, send email to [email protected] > To unsubscribe, send email to > [email protected] > -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
