[geeklog-devel] Password Update Makes "sectest" Password Check Useless
websitemaster at cogeco.net
Fri Feb 10 09:17:47 EST 2012
I would check the admin account still for "password" just so we can cover
those first time installs.
BTW I did try out openid last night and everything seemed fine.
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Vincent Furia
Sent: February-10-12 1:46 AM
Subject: [geeklog-devel] Password Update Makes "sectest" Password Check
I'll just copy and paste the comment I just wrote in the code for
checkDefaultPassword in sectest.php:
/* The following will only work as long as the default admin password is
stored in the DB using
* md5, no salt, and no (1) stretch. Since we are salting passwords now,
there is no good way
* to scan the user table for a common password without rehasing common
passwords for every user
* which is clearly not feasible. Because the md5 hash will be replaced
on Admin's first login,
* this functionality becomes useless, especially for new installs.
It would be easy to check if the Admin account was using "password", but a
check for all users like we're doing now isn't feasible. We secured
ourselves out of a trivial password check mechanism... Should we scrap this
altogether? Only check the Admin account? Check all Root accounts? Or does
anyone have any other ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the geeklog-devel