We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Salted passwords

    • 18409
    • 54 Posts
    markvr Reply #11, 13 years, 2 months ago
    Couldn’t the field be updated automatically on logon after an upgrade?

    e.g. revo knows if the pwd field is salted or not (using a flag in the row)
    Flag: 0, PWD: MD5
    user logs in, Revo get’s plaintext pwd in POST, verify pwd by md5’ing it.
    Salt/sha1 pwd in database, change flag. Now have
    Flag:1, PWD: SALT+SHA1

    OK so you’d then be running with a lot of non-salted pwds for a long time, assuming a lot of users are dormant etc...

    just my 2 cents smiley
      • 37860
      • 1 Posts
      mrplexx Reply #12, 12 years, 5 months ago
      It would not be too hard to add salted passwords to MODx. An additional database field next for the salt next to the md5 db hash field would do it. If the field is empty, there is no hash. So it is backwards compatible. At least new users and users who change the password would be safer. Fresh MODx installations would be providing more security from the beginning. - Just a suggestion.

      We can check when the user logs in, if the salt is set. if not, the password would be encrypted again...

      This would work with Evo and Revo.