On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Is there a chance that someone can explain what these settings actually do

    OK, "Detection level of the PHP error" is probably trial and test but "Hash algorithm" is new on me smiley

    Cheers
    • Detection level lets you set the error level for PHP; for example if you want it to show notices and warnings or not. It is generally recommended to have PHP set to not display any errors at all, and log the errors in a log file instead. But many if not most users don't have that kind of control of their PHP configuration, so this setting allows at least some control of what kind of error handling PHP does.

      The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
      • Quote from: sottwell at Mar 19, 2013, 11:10 PM
        The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

        Which is the best, safest ? or are they pretty much all the same

        When modifying the setting, does this change the main admin setting as well (created on install) ?

        Cheers
        • Thanks.
          point. This is easy solution. This is not perfect.


          • Add salt
          • Hash is different every member even if set the same password
          • Default setting is no stretching
          • But, If a server supports, you can use the crypt function

          A reason not stretching. The DoS attack to a login screen.
          • Quote from: sottwell at Mar 19, 2013, 06:10 PM
            The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

            Okay, so I can choose, but as yama (who worked on this?) points out, I should not use strechting? Is he saying I should best use the (default) latter one?
            A reason not stretching. The DoS attack to a login screen.

            I'm in Evolution 1.0.10. Now, how I can call this myself with php? This used to be md5('mypassword'). How to do it for the option UNCRYPT(32 chars salt + SHA-1 hash)? I couldn't find much information on this term. I need this, because I use some own web_user functions.

            So, when I look into /manager/save_web_user.processor.php the creation (line 117) and updating (line 279) of web_user passwords are still in md5..
            When I look into /manager/save_password.processor.php I find the code-snippet below. Is that what I need? Does $modx->manager->genHash() automatically takes my chosen Hash Algorithm and does it use the useriD as seed?
            ..
            $uid = $modx->getLoginUserID();
            $f['password'] = $modx->manager->genHash($pass1, $uid);
            ..


            As you've already figured out I'm quite noobish on encryption ;-)
            Cheers. [ed. note: IngMA last edited this post 6 years ago.]
              Accelerate your Windows system with 9.8 m/s2.
            • Okay, so I looked up the modx getHash() and read more about encryption and hashing. I made a little module, so I can do some simple tests and checks with it.

              So far so good, I now understand better what's happening smiley I now tend to think modx isn't really using blowfish or sha512, but is giving some kind of twist to it. Right?

              Anywho. I noticed that getHash() is using md5 for the salt prefix. For Blowfish this means that for the salt 'only' 16 out of the 63 different characters are used. For sha256/512 I read that saltstrings should begin with 'rounds=[N]'. The default for N is 5000. I guess getHash() skipping this means it defaults to 'rounds=5000' in the calculation.

              Finally, when the seed is the user-id, this will often be 1 for the admin-user. All together from an encryption point of view, things might not be the best approach. On the other hand, bruteforcing the login 3 times false means I'm blocking you. So there you have it.. as he replies to himself shocked

              Cheers.
                Accelerate your Windows system with 9.8 m/s2.