[geeklog-devel] Password Update Makes "sectest" Password Check Useless

Vincent Furia vfuria at gmail.com
Fri Feb 10 01:46:15 EST 2012

I'll just copy and paste the comment I just wrote in the code for
checkDefaultPassword in sectest.php:

   /* The following will only work as long as the default admin password is
stored in the DB using
     * md5, no salt, and no (1) stretch. Since we are salting passwords
now, there is no good way
     * to scan the user table for a common password without rehasing common
passwords for every user
     * which is clearly not feasible. Because the md5 hash will be replaced
on Admin's first login,
     * this functionality becomes useless, especially for new installs.

It would be easy to check if the Admin account was using "password", but a
check for all users like we're doing now isn't feasible. We secured
ourselves out of a trivial password check mechanism... Should we scrap this
altogether? Only check the Admin account? Check all Root accounts? Or does
anyone have any other ideas?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20120209/abcb22a2/attachment.html>

More information about the geeklog-devel mailing list