Posts: 4
Threads: 3
Joined: Mar 2020
Dear Admin,
I downloaded newest version 3.3.16 and saw that the password encode still use sha1 in passhash function. If I am not wrong now we have new password encode in PHP is password_hash() with higher security. Is it possible to use in new version 3.4? I tried to decode the sha1 password hash and password_hash online, some website they can decode password from sha1 but don't have any website can decode password_hash(). This is just my idea.
Thank for your great job.
Posts: 515
Threads: 21
Joined: Feb 2019
Hi nguyentriquang,
GetSimple has the ability to use salted passwords.
You know this makes it much harder for cracking attempts to succeed,
not to say impossible for hackers without million dollar computer parks.
And even then it would take just too many years. So no problem here.
Read more about GetSimple salted passwords here:
http://get-simple.info/wiki/how_to:chang...ord_salted
F.
Posts: 538
Threads: 12
Joined: May 2013
sha1 is no longer up to date and should not be used anymore, no matter salt used or not.
Posts: 515
Threads: 21
Joined: Feb 2019
Quote:sha1 is no longer up to date and should not be used anymore, no matter salt used or not.
Show me a cracked salted sha1, then we talk.
Posts: 538
Threads: 12
Joined: May 2013
I didn't say I can crack it, I said it is deprecated and should not be used. There are more modern alternatives for storing password hashes.
Posts: 328
Threads: 5
Joined: May 2012
2022-12-13, 19:37:58
(This post was last modified: 2022-12-13, 19:50:26 by islander.)
@nguyentriquang @Bigin
Kind of you for pointing this out, but unfortunately, even the slightest suggestion of any modern implementations or updates to this program are often considered to be very offensive, regardless of how innocent or logical the suggestion may be. Please tread lightly in the future.
A more rational reply would be a simple "thanks for pointing this out, it will be considered for a future version", but is more often than not met with strong opposition for having a difference of opinion.
edit:
more info or search "SHA-1 deprecated"
Posts: 328
Threads: 5
Joined: May 2012
@Felix Please please do not take every suggestion as a personal attack. This is supposed to be a community. We are supposed to help each other to grow. Everyone is at different levels of experience and needs.
Your reply "Show me a cracked salted sha1, then we talk." is much like saying prove you have cancer then you can see a doctor. Preventative measures should be considered. But that doesnt mean that they will be implemented tomorrow.
The people posting here, I believe, are genuinely trying to help, by pointing out or suggesting things that may have been over looked or unaware of. Its not an attack. Its not saying that anyone here is doing something wrong. Its just looking at ways of trying to improve an program that many people use and enjoy.
I am quite sure you are unhappy with my replies, but all I am looking for is a happy and productive community that can grow and not discourage users from trying to help.
Kind regards