Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Change Hash? 2.1.6

RekkehRekkeh New
edited December 2014 in Vanilla 2.0 - 2.8

I'm currently in the middle of making a website, It has a login system with sha512 hashed passwords, I was wondering if there's a way to make the forum sha512 instead of how it is by default, So the same login can be used and there will be no need to re-register

Comments

  • What you probably need is a Single Sign On like jsConnect. People often mix up Authentication with logon and passwords and password hashes. It is not good practice to pass passwords between applications.

    If would were importing everything into Vanilla, from some old system then it would make sense to maintain or covert the hashed passwords.

    Note vanilla doesn’t simply hash the password, it uses HMAC sessions, which mean the sessions are not stored anywhere on the server, Gdn_Session has nothing to do with authentication. This means this information will not be jack-potted by attacking the server.

    Using a strong hash is only part of securing passwords and authentication.

    Actually there is a way that you can process salted sha256 passed passwords, however like I said it is probably not what you want, unless you explain better.

    grep is your friend.

  • LincLinc Detroit Admin
    edited December 2014

    @Rekkeh To do that, I'd use the latest master branch on GitHub rather than the official 2.1.6 if you don't mind living dangerously. We made that possible natively for the next version. Or just use 2.1.6 for now and know you'll get upgraded soon. :)

  • x00x00 MVP
    edited December 2014

    It is already possible to do under Django hashes, no need to live dangerously.

    the phppass using a specific hash algo or some other system, is somewhat different than just using a salted hash.

    More important is the reason for doing it, as per the Op explanation SSO is the intention, so SSO is the likely solution to this problem.

    grep is your friend.

Sign In or Register to comment.