Jump to content

MD5 password hashing?!


Recommended Posts

Hi,

i'm using Prestashop for some projects since a few months now..

Recently i was looking at the users/employes table and noticed that the

passwords are saved as (salted) md5-hashes?!

Wouldn't it be better to use bcrypt or similar algorithms, since it is not really hard to find md5-collisions using the right hardware?

An idea to maintain backward-compatibility to older shops (that upgrade to newer Prestashop versions) would be to use a hybrid system:
Hash new customers/employe - passwords with bcrypt and keep the old ones as md5.

When authenticating the user first check the password length, if its 60 characters long, verify with bcrypt, or, if it's 32 characters, check with md5.

 

Greetings

Link to comment
Share on other sites

  • 2 weeks later...

Really? No one?
Guys, this is security-related and fairly important..
If someone steals the user-passwords, and if he has enough computing power (no need for a super-computer), he can quite easily do dictionary-attacks or similar stuff..

Md5, even salted, is too fast, broken and bad.

Link to comment
Share on other sites

×
×
  • Create New...