I'll have a look at what the admin side of sourceforge brings.

Regarding password storage, the problem is that /password/ hashing should
be (relatively) slow, to prevent brute force searches on ever faster
hardware. I want to use phpass <> for that,
which is also used by Drupal, Wordpress, phpBB and other projects. It
supports even php version 3, using stronger hashes when available. See
this<>for more

I also intend to keep everything php4 compatible, when I first started
using phpshell I also needed that.

On Wed, Jun 13, 2012 at 9:20 PM, Wolfgang Dautermann <> wrote:

> Am 13.06.2012 09:46, schrieb Jan Kanis:
> > Hi Wolfgang,
> >
> > SVN access would be easiest for me.
> Hi Jan!
> You are now a member of the project with SVN access.
> Welcome to the team.
> > I currently just intend to add the changes I already made to the
> > official repo and I'll probably add a better password hashing since
> > just SHA is not considered secure anymore for password storage.
> Hm. Concerning password hashing - I believe sha1() *with salt* should be
> okay. There is no (native) sha2() function in PHP - yes you have the
> hash()-function, but there are recent PHP versions (>= 5.1.2) required.
> And I think a self-coded sha2()-function (in PHP) might be more insecure
> than (salted) sha1().
> Even for the move from md5() to sha1() I checked, if sha1() is
> available, because it is only present in PHP >= 4.3.0:
>       if ( function_exists('sha1') ) {
>            $fkt = 'sha1' ;
>        } else {
>            $fkt = 'md5' ;
>        } ;
> Would be fine, if phpshell works even with older PHP versions (because
> that is my use-case. I need it sometimes on a server with PHP 4.3.1 (no,
> I am not the admin there...), to remove some files created by apache, ...)
> Best regards from Austria,
> Wolfgang
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
phpshell-devel mailing list

Reply via email to