Avatar

Feature request: Administrator change user password (Features)

by Auge ⌂ @, Tuesday, April 11, 2017, 12:06 (15 days ago) @ Milo

Hello

Just use a MD5-Hash, see functions.inc.php line 2087ff

To use md5 nowadays would be disastrous! That said, I can't see any call for md5 in the function that you linked. MLF2 only generated sha1-hashes but sha1 itself is inappropriate especially for password hashing and in general outdated nowadays. The next function is_pw_correct makes use of md5 in case of password hashes from old versions.

Nowadays a check-password-function should enforce the users to generate a new password with an actual hashing algorithm at the next login attempt and should delete the md5-hash of the (old) password from the records. For the password hashing itself we should use the function password_hash in future versions. At that point the minimal PHP-version would raise to 5.5.hash.php]password_hash[/link] in future versions. At that point the minimal PHP-version would raise to 5.5.

Tschö, Auge

--
further development of mlf1


Complete thread:

 RSS Feed of thread

powered by my little forum