Forum posts to 'Extending and hacking'

Re: Setting Security it use sha1 but no salt.

Josh Kosmala — Fri, 09 May 2008 11:06:02 +1200

Thanks for pointing that out Sam, my problem is now solved!

Posted to: Setting Security it use sha1 but no salt.

Re: Setting Security it use sha1 but no salt.

Sam Minnee — Fri, 09 May 2008 09:24:11 +1200

The encrypted password is then packed into a base 36 number (0-9 then A-Z). I wouldn't have necessary built it this way, but it's difficult to change now without breaking everyone's sites.

// Convert the base of the hexadecimal password to 36 to make it shorter
// In that way we can store also a SHA256 encrypted password in just 64
// letters.
$password = substr(base_convert($password, 16, 36), 0, 64);

Perhaps we could add additional encryption types to the Password encryption column, like sha1-unpacked, which would skip this procedure? Using a string-suffix like this would require fewer API changes than adding a 3rd encryption parameter.

Posted to: Setting Security it use sha1 but no salt.

Setting Security it use sha1 but no salt.

Josh Kosmala — Wed, 30 Apr 2008 16:34:13 +1200

Hey,

I'm trying to migrate a site from a CMS that uses straight SHA1 encryption - but can't get my SS site to encrypt in SHA1 only.

I have set the following lines in sapphire/_config.php

Security::encrypt_passwords(true);
Security::set_password_encryption_algorithm('sha1', false);

and also set the current values in Security.php

protected static $encryptPasswords = true;
protected static $encryptionAlgorithm = 'sha1';
protected static $useSalt = false;

however the site is not using straight SHA1. The salt column in the db is now NULL but it's still a strange encryption that won't match the old user passwords which are all sha1.

SS 2.2.1

Any ideas where i'm going wrong?

Cheers,
Josh

Posted to: Setting Security it use sha1 but no salt.