SilverStripe Forum
3755 Posts in 822 Topics by 512 members
Jump to:Extending and hacking
If this is your first visit, you will need to register before you can post. However, you can browse all messages below.
| Page: 1 | go to end | Reply | |
| Author | Topic: Setting Security it use sha1 but no salt. | 370 views |
-
Setting Security it use sha1 but no salt.
30 April 2008 at 4:34pm
Hey,
I'm trying to migrate a site from a CMS that uses straight SHA1 encryption - but can't get my SS site to encrypt in SHA1 only.
I have set the following lines in sapphire/_config.php
Security::encrypt_passwords(true);
Security::set_password_encryption_algorithm('sha1', false);and also set the current values in Security.php
protected static $encryptPasswords = true;
protected static $encryptionAlgorithm = 'sha1';
protected static $useSalt = false;however the site is not using straight SHA1. The salt column in the db is now NULL but it's still a strange encryption that won't match the old user passwords which are all sha1.
SS 2.2.1
Any ideas where i'm going wrong?
Cheers,
JoshLast edited: 30 April 2008 at 6:08pm
-
Re: Setting Security it use sha1 but no salt.
9 May 2008 at 9:24am
The encrypted password is then packed into a base 36 number (0-9 then A-Z). I wouldn't have necessary built it this way, but it's difficult to change now without breaking everyone's sites.
// Convert the base of the hexadecimal password to 36 to make it shorter
// In that way we can store also a SHA256 encrypted password in just 64
// letters.
$password = substr(base_convert($password, 16, 36), 0, 64);Perhaps we could add additional encryption types to the Password encryption column, like sha1-unpacked, which would skip this procedure? Using a string-suffix like this would require fewer API changes than adding a 3rd encryption parameter.
-
Re: Setting Security it use sha1 but no salt.
9 May 2008 at 11:06am
Thanks for pointing that out Sam, my problem is now solved!
| 370 views | |||
| go to top | Reply |