On Wed, 2010-11-03 at 11:32 -0700, Brion Vibber wrote: > The common_munge_password() function in lib/util.php does this; > currently it comes down to a simple: > > return md5($password . $id); > > So the result is the hex MD5 hash of the password with the integer user > ID concatenated on the end. >
By the way, I'm aware that this is a less-than-perfect salt -- ideally it'd put the ID salt value at the beginning of the string being hashed, instead of the end. The reason I did it this way is that I actually screwed up the order of the parameters in StatusNet 0.4.x. By the time I figured it out, we'd already hashed tens of thousands of passwords on identi.ca, and it was Good Enough. At some point in the future we may want to prefix the hashed value with an algorithm value, so we could upgrade in-place. New passwords would get the new algorithm, and by default we'd use the old one. new:GARBLEGARBLEGARBLE => use new algorithm LINENOISEJUNK => no prefix, use old algorithm We could even add a couple of hook points to let plugins define their own hashes (or even use cleartext). -Evan ________________________________________________________________________ Evan Prodromou, CEO StatusNet Inc., 1124 rue Marie-Anne Est #32, Montreal, QC H2J 2T5 T: 438-380-4801 x101 C: 514-554-3826 W: http://evan.status.net/ E: e...@status.net
_______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
