[geeklog-devel] Password Update Makes "sectest" Password Check Useless
vfuria at gmail.com
Fri Feb 10 01:46:15 EST 2012
I'll just copy and paste the comment I just wrote in the code for
checkDefaultPassword in sectest.php:
/* The following will only work as long as the default admin password is
stored in the DB using
* md5, no salt, and no (1) stretch. Since we are salting passwords
now, there is no good way
* to scan the user table for a common password without rehasing common
passwords for every user
* which is clearly not feasible. Because the md5 hash will be replaced
on Admin's first login,
* this functionality becomes useless, especially for new installs.
It would be easy to check if the Admin account was using "password", but a
check for all users like we're doing now isn't feasible. We secured
ourselves out of a trivial password check mechanism... Should we scrap this
altogether? Only check the Admin account? Check all Root accounts? Or does
anyone have any other ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the geeklog-devel