[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [jfw] Issue with Joomla\Crypt\Password\Simple



We elected to simply deprecate that API in favor of the native PHP API, we felt there wasn't a need to have a wrapping layer around these native functions.

Part of it is because of how "legacy" hashes are generated and their strengths being not that strong.  The Joomla password type maps to the older style MD5 based hashes which should only be used for migrating legacy users forward today.  The verification part of that does use the native API for Blowfish (BCrypt) passwords, but create uses PHP's crypt() function.

In the CMS, the JUserHelper class keeps handling password generation and verification for different types (and uses the native functions as appropriate) since it is still supporting upgrading users with older hash types to the current standard.  At the Framework level, we'd rather encourage users to simply use the PHP API, follow the best practices associated with that API, and be less reliant on a wrapping layer such as the Joomla\Crypt\PasswordInterface and the Simple class implementing it.

On Thursday, September 22, 2016, Elena Cenacchi <elena.cenacchi AT gmail.com> wrote:
Hi Michael,

Thanks for the answer!
Do you mean using the native PHP hash functions: http://php.net/manual/en/function.password-hash.php

This certainly can be a solution, but, since it's a PHP core function, couldn't it be integrated inside the Joomla! Framework library?

Currently the Simple.php performs the following:

....
case PasswordInterface::JOOMLA:
   $salt = $this->getSalt(32);
   return md5($password . $salt) . ':' . $salt;

Can't the class be updated so to use password_hash() instead?




Il giorno giovedì 22 settembre 2016 10:52:01 UTC+2, Elena Cenacchi ha scritto:
Hi,

I am crypting user passwords, before storing them in the database using the following code in my Model:

use Joomla\Crypt\Password\Simple;

$this->simplepw=new Simple();       
$pw=$this->simplepw->create($user['password'],'Joomla');

Anyhow, I notice that often the password is generated in a wrong format: the string contains invalid characters like . / ecc... If I repeat the procedure one or two times, then finally the password is generated in the correct format, and everything works.
A practical example: let's say I want to store the "test" password:

1st trial stores: 44a561c12a9d6a1279058e2a5e337648:z8k6H3pccyCeso0VJgntlpjs/g2S9OXq
2ns trial stores: f084288fddba112578d2f6d9a37cee0f:cB609FIrfx3E0R8lGp65WNi.4FYuYf8/
3rd trial stores: b41d97a35f4ed1015ca93738410098c5:JrjTpJk.xncGGf8.Anoaory4LQpQSQRN
4th trial stores: 563e29fa45b0b5dd2cd1afda6172eba4:XjLZyV9gIC9ZjfRLBD26artyANnsxKGD
(and this is valid)

The behavior is random, some time the 1st trial is ok, some others it takes more shots (usually < 5).

Do you have any hint about why this happens?

Elena




--
Framework source code: https://github.com/joomla-framework
Visit http://developer.joomla.org for more information about developing with Joomla!
---
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-framework+unsubscribe AT googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-framework.


--
- Michael

Please pardon any errors, this message was sent from my iPhone.

--
Framework source code: https://github.com/joomla-framework
Visit http://developer.joomla.org for more information about developing with Joomla!
---
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-framework+unsubscribe AT googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-framework.