Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

updating password functions in 2.3.4.1CE / 2.3.4BS?


Recommended Posts

i just updated Phpass from 0.3 to 0.5 in /includes/classes/passwordhash.php
http://www.openwall.com/phpass/

and changed in includes/functions/password_funcs.php
in function tep_encrypt_password($plain) 

and

in function tep_validate_password($plain, $encrypted) {

this

      $hasher = new PasswordHash(10, true);

to

      $hasher = new PasswordHash(10, false);

i now have a 60 char blowfish hash output. before i had a 34 char hash in the database field.
Is there a reason not to change it that way? i think the passwords are encrypted with a stronger hash function that way and it should be php5.3+ compatible.
account creation, change password and reset password seems to work just fine.

and as someone asked about max length of password in Oscommerce Discord Chat. Is there a password length limit? i dont think so. Should there be a limit? (see https://sunnysingh.io/blog/secure-passwords ) "Passwords should never be longer than 72 characters to prevent DoS attacks".

Regards,
Stephan

 

 

 

Link to comment
Share on other sites

There's a minimum length, not a maximum. Since they are stored hashed, the length required for storage depends on the algorithm.

Some encryption mechanisms truncate passwords - I think the 72 character thing is php's BCRYPT.

The DoS limits are much bigger - like 4096 bytes for example.

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

3 minutes ago, wHiTeHaT said:

why you did that?

as i wanted the best possible password encryption available. initialy i got into the password functions as someone asked about password length on oscommerce discord today and i had to look into it.

 

 

Link to comment
Share on other sites

1 minute ago, wHiTeHaT said:

What if my password would be Π (huh?) and salt it?
I would have the most secure pw evah...........
Usage of progresses not always compatible of provided resources.
Yet not investigated any benchmarks on that upgrade i believe it would be suitable
On the other hand, nothing of what i said above i am able to claim it's correctness in it

i did not understand a word you said ;)
i did a "beyond compare" on the phpass update and it seems the update is not that revolutionary. 
it should basicly work as the 0.3 or 0.4 version i think. the most significant change is my change of true to false in the passwordhash function call, as it will use the php crypt function and blowfish hash function

$hasher = new PasswordHash(10, false);

10x iterations and $portable_hashes = false
that will allow blowfish (from php crypt)

and that is what i also asked. if that is a stronger/better encryption. i think so.

	    function HashPassword($password)
    {
        $random = '';
	        if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
            $random = $this->get_random_bytes(16);
            $hash =
                crypt($password, $this->gensalt_blowfish($random));
            if (strlen($hash) === 60)
                return $hash;
        }
	        if (strlen($random) < 6)
            $random = $this->get_random_bytes(6);
        $hash =
            $this->crypt_private($password,
            $this->gensalt_private($random));
        if (strlen($hash) === 34)
            return $hash;
	        # Returning '*' on error is safe here, but would _not_ be safe
        # in a crypt(3)-like function used _both_ for generating new
        # hashes and for validating passwords against existing hashes.
        return '*';
    }

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...