trullala Posted June 17, 2014 Share Posted June 17, 2014 Hi, i'm using Prestashop for some projects since a few months now.. Recently i was looking at the users/employes table and noticed that the passwords are saved as (salted) md5-hashes?!Wouldn't it be better to use bcrypt or similar algorithms, since it is not really hard to find md5-collisions using the right hardware? An idea to maintain backward-compatibility to older shops (that upgrade to newer Prestashop versions) would be to use a hybrid system:Hash new customers/employe - passwords with bcrypt and keep the old ones as md5. When authenticating the user first check the password length, if its 60 characters long, verify with bcrypt, or, if it's 32 characters, check with md5. Greetings Link to comment Share on other sites More sharing options...
trullala Posted June 25, 2014 Author Share Posted June 25, 2014 Really? No one?Guys, this is security-related and fairly important..If someone steals the user-passwords, and if he has enough computing power (no need for a super-computer), he can quite easily do dictionary-attacks or similar stuff.. Md5, even salted, is too fast, broken and bad. Link to comment Share on other sites More sharing options...
Dh42 Posted June 25, 2014 Share Posted June 25, 2014 You could go to Advanced Parameters -> Perfromance and use the Blowfish encryption if you wanted. Link to comment Share on other sites More sharing options...
Recommended Posts