Welcome, Guest
Username: Password: Remember me

TOPIC: Passwords MUST be salted and hashed

Passwords MUST be salted and hashed 1 year 2 months ago #1

  • Bruno Vernay
  • Bruno Vernay's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Thank you received: 1
Hi,
A huge improvement would be to never sent or store passwords in clear text.
There are lots of resources to help you to this goal:
www.passwordtool.hu/joomla-password-hash-generator-salt-key
and
stackoverflow.com/questions/10428126/joomla-password-encryption

Ask me for more help if needed, but please do something.

Regards
Bruno
The administrator has disabled public write access.

Passwords MUST be salted and hashed 1 year 1 month ago #2

  • Davy
  • Davy's Avatar
  • Offline
  • Administrator
  • Organ enthusiast and creator of Polyphone
  • Posts: 213
  • Thank you received: 47
Hello Bruno,

Passwords are of course not stored in clear text. What have you seen for such a conclusion?

Regards,
Davy
The administrator has disabled public write access.

Passwords MUST be salted and hashed 1 year 1 month ago #3

  • Bruno Vernay
  • Bruno Vernay's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Thank you received: 1
Because I received it by email in clear text. Now I guess it is sent by email and then salted, hashed, stored?

Still, it would be better to get rid of the clear text as soon as possible, I am not sure that emailing the password is a useful thing.

But we are entering the user convenience vs. security debate, I don't want to sound too harsh. I really appreciate the forum, the application and the time you devoted to it!
Thanks
The administrator has disabled public write access.
The following user(s) said Thank You: Davy

Passwords MUST be salted and hashed 1 year 1 month ago #4

  • Davy
  • Davy's Avatar
  • Offline
  • Administrator
  • Organ enthusiast and creator of Polyphone
  • Posts: 213
  • Thank you received: 47
Oh yes I didn't remember that during the registration step the password was sent by email. I found it convenient for the user but you are right, this is not a good thing for security. This is now fixed, thank you for the report.

In any case, no passwords are stored in clear text in the database. There is no way to get them.
The administrator has disabled public write access.
The following user(s) said Thank You: Bruno Vernay
Time to create page: 0.063 seconds