[geeklog-devel] Password Update Makes "sectest" Password Check Useless

[Tom]

I would check the admin account still for "password" just so we can cover
those first time installs.

 

BTW I did try out openid last night and everything seemed fine.

 

Tom

 

From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Vincent Furia
Sent: February-10-12 1:46 AM
To: Geeklog
Subject: [geeklog-devel] Password Update Makes "sectest" Password Check
Useless

 

I'll just copy and paste the comment I just wrote in the code for
checkDefaultPassword in sectest.php:

   /* The following will only work as long as the default admin password is
stored in the DB using 
     * md5, no salt, and no (1) stretch. Since we are salting passwords now,
there is no good way 
     * to scan the user table for a common password without rehasing common
passwords for every user
     * which is clearly not feasible. Because the md5 hash will be replaced
on Admin's first login,
     * this functionality becomes useless, especially for new installs.
FIXME
     */

It would be easy to check if the Admin account was using "password", but a
check for all users like we're doing now isn't feasible. We secured
ourselves out of a trivial password check mechanism... Should we scrap this
altogether? Only check the Admin account? Check all Root accounts? Or does
anyone have any other ideas?

-Vinny

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20120210/88086fb9/attachment.html>