Jump to content

Password Hashing


Recommended Posts

Hey guys,

I'm really new to Processwire, found it like two days ago but already love it :)

I just had a look at the wire folder and came across the userAuthHashType in config.php.

This is set to sha1 which is not too secure, it would be good to use a different hashing method.

If I'm right version 2.4 (?) will make use of all these nice PHP 5.3+ features, as well as Composer.

PHP 5.4 will fight bad password hashing providing a password_hash() function, until then it might be good to

use the ircmaxell/password_compat library. What do you think? :)

Link to comment
Share on other sites

Hi FvG. If i'm correct PW has already implemented this, at least in the more current dev versions. If available it uses bcrypt hashing, which is one of the strongest. Some inspiration is also taken from the library you mentioned.

Have a look through Password.php to see what's going on.

Link to comment
Share on other sites

In ProcessWire 2.3, The $config->userAuthHashType is only used as a fallback if bcrypt/blowfish isn't available. 

Anthony Ferrara's password_compat library is great btw. We are using portions of it in the current Password class. We may switch to using it in full once we're fully transitioned to PHP 5.3. He's one of those guys that the PHP community is very lucky to have. Brilliant coder, but also has the heart of the teacher and the ability to communicate complex things in a way anyone can understand (especially with his videos). 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...