Menu
▾
▴
Re: I still love this web app.. but no developer activity!?
|
From: Jan K. <jan...@ja...> - 2012-06-13 20:38:00
|
Thanks! I'll have a look at what the admin side of sourceforge brings. Regarding password storage, the problem is that /password/ hashing should be (relatively) slow, to prevent brute force searches on ever faster hardware. I want to use phpass <http://www.openwall.com/phpass/> for that, which is also used by Drupal, Wordpress, phpBB and other projects. It supports even php version 3, using stronger hashes when available. See this<http://www.openwall.com/articles/PHP-Users-Passwords>for more explanation. I also intend to keep everything php4 compatible, when I first started using phpshell I also needed that. On Wed, Jun 13, 2012 at 9:20 PM, Wolfgang Dautermann < da...@oe...> wrote: > > > Am 13.06.2012 09:46, schrieb Jan Kanis: > > Hi Wolfgang, > > > > SVN access would be easiest for me. > > Hi Jan! > You are now a member of the project with SVN access. > > Welcome to the team. > > > I currently just intend to add the changes I already made to the > > official repo and I'll probably add a better password hashing since > > just SHA is not considered secure anymore for password storage. > > Hm. Concerning password hashing - I believe sha1() *with salt* should be > okay. There is no (native) sha2() function in PHP - yes you have the > hash()-function, but there are recent PHP versions (>= 5.1.2) required. > And I think a self-coded sha2()-function (in PHP) might be more insecure > than (salted) sha1(). > > Even for the move from md5() to sha1() I checked, if sha1() is > available, because it is only present in PHP >= 4.3.0: > > if ( function_exists('sha1') ) { > $fkt = 'sha1' ; > } else { > $fkt = 'md5' ; > } ; > > Would be fine, if phpshell works even with older PHP versions (because > that is my use-case. I need it sometimes on a server with PHP 4.3.1 (no, > I am not the admin there...), to remove some files created by apache, ...) > > Best regards from Austria, > Wolfgang > |
