I don't think we should completely forget about SHA1. Just password hashing scheme should be improved. Something like $passhash = sha1(sha1($password) . $salt); Also hash extension can be disabled on some configurations and user will be left with broken component if SHA512 is used by default there.
On 25 июн, 01:09, Maciek Rumianowski <[email protected]> wrote: > Thanks for reply, > > my approach was also to suggest some changes to GuardPlugins. Somehow > to encourage developers to use safer/stronger algorithms, because > there are only md5 and sha1 mentioned and possibility of changing them > (but i don't think they will stop and consider using other algo). Or > maybe make default stronger? > > Thanks, > Maciej > > On 24 Cze, 12:04, Marc Weistroff <[email protected]> wrote: > > > You can provide custom hash functions/methods to sfDoctrineGuardPlugin. > > > Please have a look > > there:http://trac.symfony-project.org/browser/plugins/sfDoctrineGuardPlugin... > > > Marc > > > On Thu, Jun 24, 2010 at 12:02 AM, Maciej Rumianowski < > > > [email protected]> wrote: > > > Hi, > > > > I'm wondering if symfony is going to use new safer hash functions. I'm > > > using sfGuardPlugin which uses md5 and sha1 (I didn't check it in > > > Doctrine's). NSA or NIST (I don't know which one) suggested that new > > > applications (build to be use after 2010) should use SHA-2 or similar. > > > > As of PHP 5.1.2 I suppose, there is hash() function which has long list > > > of algorithms to use, shouldn't it be better to use these algos? > > > > Moreover I read on > > > >http://laurent.bachelier.name/2010/04/and-i-thought-sfdoctrineguardpl... > > > …/ > > > that instead rand() mt_rand() should be use. > > > > Thanks > > > Maciej Rumianowski > > > > -- > > > If you want to report a vulnerability issue on symfony, please send it to > > > security at symfony-project.com > > > > You received this message because you are subscribed to the Google > > > Groups "symfony developers" group. > > > To post to this group, send email to [email protected] > > > To unsubscribe from this group, send email to > > > [email protected]<symfony-devs%[email protected]> > > > For more options, visit this group at > > >http://groups.google.com/group/symfony-devs?hl=en -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
