[geeklog-devel] Google Code-in: Tasks and Mentors wanted!

Joe Mucchiello jmucchiello at yahoo.com
Sat Oct 30 14:43:08 EDT 2010

> Joe Mucchiello wrote:
>>> Find a replacement for kses
>> Isn't this already solved?
> Says who?

I don't think you are going to find a better solution than htmlawed. It is a 
drop in replacement for kses. It is still being developed (as far as I know). It 
works with the existing config options. And there is a patch. What more do you 
need? Perhaps if that were articulated someone could find a solution.

>>> Collect Information about Encryption Algorithms for Passwords
>> Um, change it to SHA1 (built in to PHP) and add some salt. The real
>> trick
>> to this task is making the change.
> Just skimming the Wikipedia article on SHA1:
>> In light of the results for SHA-0, some experts suggested that plans for
>> the use of SHA-1 in new cryptosystems should be reconsidered.

As I understand it, SHA-1 is only broken for long term use - digitally signing a 
mortgage document, for example. SHA-1 is only damaged. It is not cracked. For 
short term hashing, it is still usable. 

> I doubt anyone here is up to date on the discussion in the security
> community. Which is why this is a research task. It isn't supposed to make
> the decision for us, but to provide us with information so we have
> something to base our decision on.

Well, I try to stay up to date. The real flaw with Geeklog's password hash is no 
salt. That makes it vulnerable to dictionary attacks. Eliminating that flaw is 
the first minimal step. As long as the salt is unpredictable and different for 
each user you eliminate known value attacks. (Someone logs in, sets their 
password to something, then attacks the hash to find the salt.)


More information about the geeklog-devel mailing list