On 28.06.2010 08:19, FractalizeR wrote:
> I don't think we should completely forget about SHA1. Just password
> hashing scheme should be improved. Something like $passhash =
> sha1(sha1($password) . $salt);
No. You don't hash twice, ever. This does nothing to improve the
security, quite the contrary since it gives a deterministic length and
reduces the number of possibilities required to bruteforce.
> Also hash extension can be disabled on some configurations and user
> will be left with broken component if SHA512 is used by default there.
Then please check for function_exists('hash') and fallback on sha1 if
really needed, but don't degrade it for everyone else because of a few
people that can't keep important extensions enabled.
Cheers
--
Jordi Boggiano
@seldaek :: http://seld.be/
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
