Joomla! Issue Tracker | Joomla! CMS #1745 - Add support for Bcrypt, use it in remember me and optionally use it for passwords

Closed
4 Oct 2013
Medium
Build: master
# 1745
Diff
elinw:addbcryptsupport
Foreign ID 31561

Success

Success default The Travis CI build passed Details

User tests: Successful: Unsuccessful:

elinw
15 Aug 2013

There is a longer explanation of the background of this in the feature tracker
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31561&start=0

071809e 27 Jun 2013

wip commit

98aedee 27 Jun 2013

WIP Commit

3431d09 28 Jun 2013

WIP commit

b059701 28 Jun 2013

WIP commmit

38f753e 28 Jun 2013

Merge branch 'master' of https://github.com/joomla/joomla-cms into rememberme

d217c05 28 Jun 2013

wp

508897f 28 Jun 2013

wp

ceb6a97 28 Jun 2013

Add password compatibility package and use it.

4ca0192 29 Jun 2013

Merge branch 'master' of https://github.com/joomla/joomla-cms into rememberme

f9eea95 29 Jun 2013

WIP commit

f3389ff 29 Jun 2013

Only use the compat when needed.

df3a55d 29 Jun 2013

Add mysql. Still needs postgres and sqlsrv.

7f78535 29 Jun 2013

Use prefix.

cd48b22 29 Jun 2013

Merge branch 'master' of https://github.com/joomla/joomla-cms into rememberme

b279f6f 30 Jun 2013

Fix some bugs

943d701 30 Jun 2013

Fix some bugs, make things a bit faster.

df09327 30 Jun 2013

Fix sql files

6a3fcfd 4 Jul 2013

Destroy used cookies.

0d347a7 5 Jul 2013

Make cookie life time and the random string length configurable

c584ce5 5 Jul 2013

Fix invalid check.

9f16c70 5 Jul 2013

Merge branch 'master' of https://github.com/joomla/joomla-cms into bcrypt

5a06428 5 Jul 2013

Use bcrypt's own salt.

8fba3d7 7 Jul 2013

Merge branch 'master' of https://github.com/joomla/joomla-cms into rememberme

ca31577 8 Jul 2013

Fixed typo.

1883dca 9 Jul 2013

Remove unneeded files, fix some typos, remove some WIP code.

6d550d4 9 Jul 2013

Remove another file.

0e202ea 9 Jul 2013

Fix some bugs with cases

b949be8 9 Jul 2013

Some updates to deal with how juser handles salts.

493670b 9 Jul 2013

Fix for updating users

9161641 9 Jul 2013

cs

elinw - open - 15 Aug 2013

nicksavov - comment - 25 Aug 2013

Hi Elin,

Looks like this is out-of-sync, unfortunately. Could you update it to master?

coolacid - comment - 28 Aug 2013

Reviewed the patch - looks clean. I couldn't see any major issues with the code. Made a few optimization comments to elin offline.

mbabker - comment - 6 Sep 2013

Can you rebase onto master please?

mbabker - comment - 7 Sep 2013

I think my merging of the two-factor auth patch threw you out of sync again, the merge button is greyed out.

coolacid - comment - 7 Sep 2013

There was some comments somewhere about Using SHA512 vs SHA256 for fall back.

Even though SHA512 is faster then SHA256, we're not doing it often enough to make it really required.

Second, this is a fall back, not a "we need faster speed". If they are worried about speed, use bcrypt.

Third, IANACE (I am not a crypto expert), but given that SHA512 uses a block size of 64 bits. Thus, As I understand it, Anything less then 8 character passwords would require padding, this could yield to other attacks. SHA256 uses a block size of 32 bits, so at 8 character passwords, you'd have at least two runs instead of the one.

(EDIT)
Duh, we should be using a salt > 8 chars, so you would have at least 2 rounds on a 64bit block size. But, the lower block size would be better in the long run as there would be more rounds.

Add a Comment

Login with GitHub to post a comment

Older
Newer