Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#115 support (and use by default) stronger hashing algorithms

open
nobody
security (2)
5
2014-03-17
2014-03-17
lelutin
No

Hi there,

Currently the default password hashing algorithm is md5. This algorithm has been know to suffer from hash collisions which make it vulnerable to "easier" password cracking. It is now strongly discouraged to use md5 (or sha1) for storing password hashes.

Postfixadmin should add support for stronger algorithms like sha256, sha512, bcrypt, and use one of them by default instead of md5.

md5 support would need to stay for some time to enable ppl to re-hash all passwords. And actually, if we want to be nicer to users, we could provide an automated method to re-hash passwords upon login for those that are still using md5.

Discussion