New System Settings - Hash algorithm & Detection level of the PHP error - My Forums

Re: New System Settings - Hash algorithm & Detection level of the PHP error

IngMA — Jun 24, 2013, 08:11 AM

Okay, so I looked up the modx getHash() and read more about encryption and hashing. I made a little module, so I can do some simple tests and checks with it.

So far so good, I now understand better what's happening I now tend to think modx isn't really using blowfish or sha512, but is giving some kind of twist to it. Right?

Anywho. I noticed that getHash() is using md5 for the salt prefix. For Blowfish this means that for the salt 'only' 16 out of the 63 different characters are used. For sha256/512 I read that saltstrings should begin with 'rounds=[N]'. The default for N is 5000. I guess getHash() skipping this means it defaults to 'rounds=5000' in the calculation.

Finally, when the seed is the user-id, this will often be 1 for the admin-user. All together from an encryption point of view, things might not be the best approach. On the other hand, bruteforcing the login 3 times false means I'm blocking you. So there you have it.. as he replies to himself

Cheers.

Re: New System Settings - Hash algorithm & Detection level of the PHP error

IngMA — Jun 23, 2013, 05:02 AM

Quote from: sottwell at Mar 19, 2013, 06:10 PM

The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

Okay, so I can choose, but as yama (who worked on this?) points out, I should not use strechting? Is he saying I should best use the (default) latter one?

A reason not stretching. The DoS attack to a login screen.

I'm in Evolution 1.0.10. Now, how I can call this myself with php? This used to be md5('mypassword'). How to do it for the option UNCRYPT(32 chars salt + SHA-1 hash)? I couldn't find much information on this term. I need this, because I use some own web_user functions.

So, when I look into /manager/save_web_user.processor.php the creation (line 117) and updating (line 279) of web_user passwords are still in md5..
When I look into /manager/save_password.processor.php I find the code-snippet below. Is that what I need? Does $modx->manager->genHash() automatically takes my chosen Hash Algorithm and does it use the useriD as seed?

..
$uid = $modx->getLoginUserID();
$f['password'] = $modx->manager->genHash($pass1, $uid);
..

As you've already figured out I'm quite noobish on encryption ;-)
Cheers.

Re: New System Settings - Hash algorithm & Detection level of the PHP error

yama — Mar 24, 2013, 10:50 AM

Thanks.
point. This is easy solution. This is not perfect.

Add salt
Hash is different every member even if set the same password
Default setting is no stretching
But, If a server supports, you can use the crypt function

A reason not stretching. The DoS attack to a login screen.

Re: New System Settings - Hash algorithm & Detection level of the PHP error

iusemodx — Mar 24, 2013, 10:31 AM

Quote from: sottwell at Mar 19, 2013, 11:10 PM

The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

Which is the best, safest ? or are they pretty much all the same

When modifying the setting, does this change the main admin setting as well (created on install) ?

Cheers

Re: New System Settings - Hash algorithm & Detection level of the PHP error

sottwell — Mar 19, 2013, 06:10 PM

Detection level lets you set the error level for PHP; for example if you want it to show notices and warnings or not. It is generally recommended to have PHP set to not display any errors at all, and log the errors in a log file instead. But many if not most users don't have that kind of control of their PHP configuration, so this setting allows at least some control of what kind of error handling PHP does.

The hash algorithm setting lets you choose what hashing algorithm to use for storing passwords, rather than the plain MD5 hash algorithm that's been used for passwords until now.

New System Settings - Hash algorithm & Detection level of the PHP error

iusemodx — Mar 19, 2013, 05:29 PM

Is there a chance that someone can explain what these settings actually do

OK, "Detection level of the PHP error" is probably trial and test but "Hash algorithm" is new on me

Cheers