Jump to content

Recommended Posts

i just updated Phpass from 0.3 to 0.5 in /includes/classes/passwordhash.php

and changed in includes/functions/password_funcs.php
in function tep_encrypt_password($plain) 


in function tep_validate_password($plain, $encrypted) {


      $hasher = new PasswordHash(10, true);


      $hasher = new PasswordHash(10, false);

i now have a 60 char blowfish hash output. before i had a 34 char hash in the database field.
Is there a reason not to change it that way? i think the passwords are encrypted with a stronger hash function that way and it should be php5.3+ compatible.
account creation, change password and reset password seems to work just fine.

and as someone asked about max length of password in Oscommerce Discord Chat. Is there a password length limit? i dont think so. Should there be a limit? (see https://sunnysingh.io/blog/secure-passwords ) "Passwords should never be longer than 72 characters to prevent DoS attacks".



Edited by Stephan Gebbers



Share this post

Link to post
Share on other sites

There's a minimum length, not a maximum. Since they are stored hashed, the length required for storage depends on the algorithm.

Some encryption mechanisms truncate passwords - I think the 72 character thing is php's BCRYPT.

The DoS limits are much bigger - like 4096 bytes for example.

For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (Phoenix).

here: on the official osc download page

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post

Link to post
Share on other sites
3 minutes ago, wHiTeHaT said:

why you did that?

as i wanted the best possible password encryption available. initialy i got into the password functions as someone asked about password length on oscommerce discord today and i had to look into it.



Share this post

Link to post
Share on other sites
1 minute ago, wHiTeHaT said:

What if my password would be Π (huh?) and salt it?
I would have the most secure pw evah...........
Usage of progresses not always compatible of provided resources.
Yet not investigated any benchmarks on that upgrade i believe it would be suitable
On the other hand, nothing of what i said above i am able to claim it's correctness in it

i did not understand a word you said ;)
i did a "beyond compare" on the phpass update and it seems the update is not that revolutionary. 
it should basicly work as the 0.3 or 0.4 version i think. the most significant change is my change of true to false in the passwordhash function call, as it will use the php crypt function and blowfish hash function

$hasher = new PasswordHash(10, false);

10x iterations and $portable_hashes = false
that will allow blowfish (from php crypt)

and that is what i also asked. if that is a stronger/better encryption. i think so.

	    function HashPassword($password)
        $random = '';
	        if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
            $random = $this->get_random_bytes(16);
            $hash =
                crypt($password, $this->gensalt_blowfish($random));
            if (strlen($hash) === 60)
                return $hash;
	        if (strlen($random) < 6)
            $random = $this->get_random_bytes(6);
        $hash =
        if (strlen($hash) === 34)
            return $hash;
	        # Returning '*' on error is safe here, but would _not_ be safe
        # in a crypt(3)-like function used _both_ for generating new
        # hashes and for validating passwords against existing hashes.
        return '*';



Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now