<![CDATA[ New System Settings - Hash algorithm & Detection level of the PHP error - MODX Community Forums]]> https://forums.modx.com/thread/?thread=83269 <![CDATA[Re: New System Settings - Hash algorithm & Detection level of the PHP error]]> https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-469825
So far so good, I now understand better what's happening smiley I now tend to think modx isn't really using blowfish or sha512, but is giving some kind of twist to it. Right?

Anywho. I noticed that getHash() is using md5 for the salt prefix. For Blowfish this means that for the salt 'only' 16 out of the 63 different characters are used. For sha256/512 I read that saltstrings should begin with 'rounds=[N]'. The default for N is 5000. I guess getHash() skipping this means it defaults to 'rounds=5000' in the calculation.

Finally, when the seed is the user-id, this will often be 1 for the admin-user. All together from an encryption point of view, things might not be the best approach. On the other hand, bruteforcing the login 3 times false means I'm blocking you. So there you have it.. as he replies to himself shocked

Cheers.
]]>
IngMA Jun 24, 2013, 08:11 AM https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-469825
<![CDATA[Re: New System Settings - Hash algorithm & Detection level of the PHP error]]> https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-469762 Quote from: sottwell at Mar 19, 2013, 06:10 PM
The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

Okay, so I can choose, but as yama (who worked on this?) points out, I should not use strechting? Is he saying I should best use the (default) latter one?
A reason not stretching. The DoS attack to a login screen.

I'm in Evolution 1.0.10. Now, how I can call this myself with php? This used to be md5('mypassword'). How to do it for the option UNCRYPT(32 chars salt + SHA-1 hash)? I couldn't find much information on this term. I need this, because I use some own web_user functions.

So, when I look into /manager/save_web_user.processor.php the creation (line 117) and updating (line 279) of web_user passwords are still in md5..
When I look into /manager/save_password.processor.php I find the code-snippet below. Is that what I need? Does $modx->manager->genHash() automatically takes my chosen Hash Algorithm and does it use the useriD as seed?
..
$uid = $modx->getLoginUserID();
$f['password'] = $modx->manager->genHash($pass1, $uid);
..


As you've already figured out I'm quite noobish on encryption ;-)
Cheers.]]>
IngMA Jun 23, 2013, 05:02 AM https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-469762
<![CDATA[Re: New System Settings - Hash algorithm & Detection level of the PHP error]]> https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-460007 point. This is easy solution. This is not perfect.


  • Add salt
  • Hash is different every member even if set the same password
  • Default setting is no stretching
  • But, If a server supports, you can use the crypt function

A reason not stretching. The DoS attack to a login screen.]]>
yama Mar 24, 2013, 10:50 AM https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-460007
<![CDATA[Re: New System Settings - Hash algorithm & Detection level of the PHP error]]> https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-460005 Quote from: sottwell at Mar 19, 2013, 11:10 PM
The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

Which is the best, safest ? or are they pretty much all the same

When modifying the setting, does this change the main admin setting as well (created on install) ?

Cheers]]>
iusemodx Mar 24, 2013, 10:31 AM https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-460005
<![CDATA[Re: New System Settings - Hash algorithm & Detection level of the PHP error]]> https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-459391
The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.]]>
sottwell Mar 19, 2013, 06:10 PM https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-459391
<![CDATA[New System Settings - Hash algorithm & Detection level of the PHP error]]> https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-459385
OK, "Detection level of the PHP error" is probably trial and test but "Hash algorithm" is new on me smiley

Cheers]]>
iusemodx Mar 19, 2013, 05:29 PM https://forums.modx.com/thread/83269/new-system-settings---hash-algorithm-detection-level-of-the-php-error#dis-post-459385