RevCMS Encryptation

[DinamicUser]

Hello!
You can improve security for your users:

Open class.core.php
REPLACE

Code:

final public function hashed($password)
    {
        return md5($password);
    }

with

Code:

final public function hashed($password)
    {
        $salt = "choose";
        $salt2 = "choose";
        return sha1($salt.$password.$salt2);
    }

In $salt and $salt2 insert a random word for example:

$salt = "549ut85fneif(%&495u8";
$salt2 = "5y8j4g89jndfsaui080??";

NB: If you can't login because appears the error "Password incorrect", you need to update all password from only md5 encryptation to new encryptation.

[MentaL]

[BurakDev]

You can improve it by generating random salt per user.

If you want change existing password hash algorithm, just create a new column "password_v2" and when user login empty the old md5 shit.

[TheCipher]

This is not really a release but a tutorial. Lols

[Keiz]

You can improve it by generating random salt per user.

If you want change existing password hash algorithm, just create a new column "password_v2" and when user login empty the old md5 shit.

Note that this makes 0 sense unless you save the "random" salt somewhere.
Randomly assigning salts every log in-attempt would obviously not work.
Not accusing you, I'm sure you know, just for anyone interested in this option.

[NoBrain]

You can improve it by generating random salt per user

Utterly pointless and creates unnecessary overhead.

Just use the built in PHP (PhP for marit) password functions since they are perfectly suitable. Anything like MD5 or SHA1 has been cracked and is deemed not safe by a lot of developers. Also OP forgot to mention this will break all existing passwords and will not allow the user to login - plus he's not actually hashing the password, all he is doing is adding extra characters to the string that SHA1 is encrypting. Plus, he should be using something like bcrypt. Spell "encryption" correct too pls.

PHP: password_hash - Manual

[Ben]

Moved to tutorials however this is no rocket science.

[TheCipher]

Moved to tutorials however this is no rocket science.

Thank you for moving it. I'm gonna make a tutorial on how to "encrypt" with BCRYPT. Because i know no one knows how to google anything.

[DinamicUser]

I'm sorry but I'm Italian.
If you want, you can correct it. @NoBrain

[Geo]

Hello!
You can improve security for your users:

Open class.core.php
REPLACE

Code:

final public function hashed($password)
    {
        return md5($password);
    }

with

Code:

final public function hashed($password)
    {
        $salt = "choose";
        $salt2 = "choose";
        return sha1($salt.$password.$salt2);
    }

In $salt and $salt2 insert a random word for example:

$salt = "549ut85fneif(%&495u8";
$salt2 = "5y8j4g89jndfsaui080??";

NB: If you can't login because appears the error "Password incorrect", you need to update all password from only md5 encryptation to new encryptation.

This barely increases security for users. Both MD5 and SHA1 are deprecated and considered unsafe for use due to practical collision attacks on them.

Further, this is hashing; not encryption. There's a huge difference.

You shouldn't choose your own salt like that unless you know what you're doing, it is generally safer to let the proper system functions generate you one (/dev/urandom on UNIX & CryptGenRandom on Windows).

As mentioned above, you also didn't discuss backward compatibility issues. This would render an already active hotel broken since already existing users wouldn't be able to authenticate.

Use the native PHP functions: password_hash, password_verify, & password_needs_rehash for this. This will allow you to generate passwords with bcrypt which is considered modern and safe (this will also automatically generate you a secure salt, based on what system you are running).

password_needs_rehash can be used to check if the user's database hash is of another algorithm (such as MD5/SHA1), which will allow you to upgrade and store their new password without breaking anything.

[Aamiainen]

As people already said using password_hash() and password_verify() will be much more secure.

There's tutoriala for that too:
http://forum.ragezone.com/f353/add-r...crypt-1134345/