Bienvenue, Invité
Nom d'utilisateur : Mot de passe : Se souvenir de moi

SUJET : Passwords MUST be salted and hashed

Passwords MUST be salted and hashed il y a 2 ans 3 mois #1

  • Bruno Vernay
  • Portrait de Bruno Vernay
  • Hors Ligne
  • New Member
  • Messages : 3
  • Remerciements reçus 1
Hi,
A huge improvement would be to never sent or store passwords in clear text.
There are lots of resources to help you to this goal:
www.passwordtool.hu/joomla-password-hash-generator-salt-key
and
stackoverflow.com/questions/10428126/joomla-password-encryption

Ask me for more help if needed, but please do something.

Regards
Bruno
L'administrateur a désactivé l'accès en écriture pour le public.

Passwords MUST be salted and hashed il y a 2 ans 3 mois #2

  • Davy
  • Portrait de Davy
  • Hors Ligne
  • Administrator
  • Organ enthusiast and creator of Polyphone
  • Messages : 340
  • Remerciements reçus 81
Hello Bruno,

Passwords are of course not stored in clear text. What have you seen for such a conclusion?

Regards,
Davy
L'administrateur a désactivé l'accès en écriture pour le public.

Passwords MUST be salted and hashed il y a 2 ans 3 mois #3

  • Bruno Vernay
  • Portrait de Bruno Vernay
  • Hors Ligne
  • New Member
  • Messages : 3
  • Remerciements reçus 1
Because I received it by email in clear text. Now I guess it is sent by email and then salted, hashed, stored?

Still, it would be better to get rid of the clear text as soon as possible, I am not sure that emailing the password is a useful thing.

But we are entering the user convenience vs. security debate, I don't want to sound too harsh. I really appreciate the forum, the application and the time you devoted to it!
Thanks
L'administrateur a désactivé l'accès en écriture pour le public.
Cet utilisateur a été remercié pour son message par: Davy

Passwords MUST be salted and hashed il y a 2 ans 3 mois #4

  • Davy
  • Portrait de Davy
  • Hors Ligne
  • Administrator
  • Organ enthusiast and creator of Polyphone
  • Messages : 340
  • Remerciements reçus 81
Oh yes I didn't remember that during the registration step the password was sent by email. I found it convenient for the user but you are right, this is not a good thing for security. This is now fixed, thank you for the report.

In any case, no passwords are stored in clear text in the database. There is no way to get them.
L'administrateur a désactivé l'accès en écriture pour le public.
Cet utilisateur a été remercié pour son message par: Bruno Vernay
Temps de génération de la page : 0.115 secondes
COM_PAYPLANS_LOGGER_CRON_START