Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Not properly secured passwords  (Read 11190 times)

0 Members and 1 Guest are viewing this topic.

wilk

  • Translator
  • Coppermine regular visitor
  • **
  • Country: pl
  • Offline Offline
  • Gender: Male
  • Posts: 51
  • Wilk Wilkowy
    • #QuizPL @ IRCnet
Not properly secured passwords
« on: June 27, 2016, 07:20:18 pm »

Please upgrade to more recent security standards in the password processing field. MD5 is ancient and practically forgotten in modern solutions. Even SHA1 is the past. Also lack of salting is terrible, not to mention of no iterations. Time for a BIG upgrade.

Yes, I know this is left for compatibility reasons, but this is very easy to overcome and change format while user is logging in (auth & upgrade). Hashes could be kept in the same field in DB (would be recognizable by format).
Logged
PM me for Polish translations (new/update)

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
Re: Not properly secured passwords
« Reply #1 on: June 27, 2016, 07:40:12 pm »

That feature has already been added to cpg1.6.x.
Logged

wilk

  • Translator
  • Coppermine regular visitor
  • **
  • Country: pl
  • Offline Offline
  • Gender: Male
  • Posts: 51
  • Wilk Wilkowy
    • #QuizPL @ IRCnet
Re: Not properly secured passwords
« Reply #2 on: June 27, 2016, 11:52:05 pm »

That it a great news! I hope transition won't be problematic (just an upgrade, not full reinstallation) and plugins mostly will stay compatible.
Logged
PM me for Polish translations (new/update)
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.