GetSimple Support Forum
Security password - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: Developer Discussions (http://get-simple.info/forums/forumdisplay.php?fid=8)
+--- Thread: Security password (/showthread.php?tid=13781)



Security password - nguyentriquang - 2020-04-04

Dear Admin,

I downloaded newest version 3.3.16 and saw that the password encode still use sha1 in passhash function. If I am not wrong now we have new password encode in PHP is password_hash() with higher security. Is it possible to use in new version 3.4? I tried to decode the sha1 password hash and password_hash online, some website they can decode password from sha1 but don't have any website can decode password_hash(). This is just my idea.

Thank for your great job.


RE: Security password - Felix - 2020-04-04

Hi nguyentriquang,

GetSimple has the ability to use salted passwords.

You know this makes it much harder for cracking attempts to succeed,
not to say impossible for hackers without million dollar computer parks.
And even then it would take just too many years. So no problem here.


Read more about GetSimple salted passwords here:
http://get-simple.info/wiki/how_to:change_admin_password_salted

F.


RE: Security password - Bigin - 2020-04-04

sha1 is no longer up to date and should not be used anymore, no matter salt used or not.


RE: Security password - Felix - 2020-04-04

Quote:sha1 is no longer up to date and should not be used anymore, no matter salt used or not.

Show me a cracked salted sha1, then we talk.


RE: Security password - Bigin - 2020-04-04

I didn't say I can crack it, I said it is deprecated and should not be used. There are more modern alternatives for storing password hashes.


RE: Security password - islander - 2022-12-13

@nguyentriquang @Bigin
Kind of you for pointing this out, but unfortunately, even the slightest suggestion of any modern implementations or updates to this program are often considered to be very offensive, regardless of how innocent or logical the suggestion may be. Please tread lightly in the  future.
A more rational reply would be a simple "thanks for pointing this out, it will be considered for a future version", but is more often than not met with strong opposition for having a difference of opinion.

edit: more info or search "SHA-1 deprecated"


RE: Security password - islander - 2022-12-13

@Felix Please please do not take every suggestion as a personal attack. This is supposed to be a community. We are supposed to help each other to grow. Everyone is at different levels of experience and needs.

Your reply "Show me a cracked salted sha1, then we talk." is much like saying prove you have cancer then you can see a doctor. Preventative measures should be considered. But that doesnt mean that they will be implemented tomorrow.

The people posting here, I believe, are genuinely trying to help, by pointing out or suggesting things that may have been over looked or unaware of. Its not an attack. Its not saying that anyone here is doing something wrong. Its just looking at ways of trying to improve an program that many people use and enjoy.

I am quite sure you are unhappy with my replies, but all I am looking for is a happy and productive community that can grow and not discourage users from trying to help.

Kind regards