Jump to content
Latest News: (loading..)

Recommended Posts

i just updated Phpass from 0.3 to 0.5 in /includes/classes/passwordhash.php

and changed in includes/functions/password_funcs.php
in function tep_encrypt_password($plain) 


in function tep_validate_password($plain, $encrypted) {


      $hasher = new PasswordHash(10, true);


      $hasher = new PasswordHash(10, false);

i now have a 60 char blowfish hash output. before i had a 34 char hash in the database field.
Is there a reason not to change it that way? i think the passwords are encrypted with a stronger hash function that way and it should be php5.3+ compatible.
account creation, change password and reset password seems to work just fine.

and as someone asked about max length of password in Oscommerce Discord Chat. Is there a password length limit? i dont think so. Should there be a limit? (see https://sunnysingh.io/blog/secure-passwords ) "Passwords should never be longer than 72 characters to prevent DoS attacks".



Edited by Stephan Gebbers



Share this post

Link to post
Share on other sites

There's a minimum length, not a maximum. Since they are stored hashed, the length required for storage depends on the algorithm.

Some encryption mechanisms truncate passwords - I think the 72 character thing is php's BCRYPT.

The DoS limits are much bigger - like 4096 bytes for example.

For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce ( CE) here: https://github.com/gburton/Responsive-osCommerce/archive/2341-Frozen.zip

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post

Link to post
Share on other sites
3 minutes ago, wHiTeHaT said:

why you did that?

as i wanted the best possible password encryption available. initialy i got into the password functions as someone asked about password length on oscommerce discord today and i had to look into it.



Share this post

Link to post
Share on other sites
1 minute ago, wHiTeHaT said:

What if my password would be Π (huh?) and salt it?
I would have the most secure pw evah...........
Usage of progresses not always compatible of provided resources.
Yet not investigated any benchmarks on that upgrade i believe it would be suitable
On the other hand, nothing of what i said above i am able to claim it's correctness in it

i did not understand a word you said ;)
i did a "beyond compare" on the phpass update and it seems the update is not that revolutionary. 
it should basicly work as the 0.3 or 0.4 version i think. the most significant change is my change of true to false in the passwordhash function call, as it will use the php crypt function and blowfish hash function

$hasher = new PasswordHash(10, false);

10x iterations and $portable_hashes = false
that will allow blowfish (from php crypt)

and that is what i also asked. if that is a stronger/better encryption. i think so.

	    function HashPassword($password)
        $random = '';
	        if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
            $random = $this->get_random_bytes(16);
            $hash =
                crypt($password, $this->gensalt_blowfish($random));
            if (strlen($hash) === 60)
                return $hash;
	        if (strlen($random) < 6)
            $random = $this->get_random_bytes(6);
        $hash =
        if (strlen($hash) === 34)
            return $hash;
	        # Returning '*' on error is safe here, but would _not_ be safe
        # in a crypt(3)-like function used _both_ for generating new
        # hashes and for validating passwords against existing hashes.
        return '*';



Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now