Import members: problem with passwords
Development and Programming
A forum based on phpBB v3 has +20000 registered members. Only the members need to be imported in EE, not the forum topics.
phpBB3 does not use plain MD5 to store the passwords, but Blowfish (or MD5 when not available) together with a hash. This password hashing method is known as “Portable PHP password hashing framework”: http://www.openwall.com/phpass/.
Is it possible to extend the password-schemes used by EE, to provide this kind of coding? Is the password-scheme plugin-able: meaning it can be extended by 3th parties?
I might be wrong, but it seems that the function do_hash in helpers\security_helper.php is doing the hashing of the password (MD5 or SHA1). I understand it is dangerous to touch this, but changing this function, could this solve my issue?
EE uses SHA1 or MD5. If you need anything else some custom code would be needed, yes. You could also make a Feature Request, of course.
If you need anything else some custom code would be needed, yes.
And would that custom code involve modifying the file security_helper.php directly, or is there some plugin, extension, module structure which needs to be used?
I don’t recall any sort of third party addon that is available, but you could check Devot-ee.
Would you like me to move this to the CodeShare Corner?
I think moving this to the “Development and Programming” forum is more appropriate.
So moved.
Indeed, moved … but not solved.
Is anyone interested in security here? Does nobody care that the passwords are stored as a simple SHA1 hash in the database? Are there extensions, plugins, hooks available to enhance security?
Changing how and what way passwords are stored is not a small undertaking. There are many times they are updated, verified, etc. I would recommend posting a feature request for this.
Done that: http://ellislab.com/forums/viewthread/164778/
But as these feature requests are piling up, I was wondering if EllisLab is going to provide feedback to them.
We read all feature requests, but we do not respond to all of them. This is explained in the sticky Making Feature Requests.
Thank you, luvd!
Is anyone interested in security here?
Oh, yes. We take security very serious indeed.
Does nobody care that the passwords are stored as a simple SHA1 hash in the database?
There is nothing fundamentally wrong with using SHA1 for hashing. I’m sure we’ll move to more advanced algorithms as they become available but for now there’s no urgent need.
There is nothing fundamentally wrong with using SHA1 for hashing.
Yes there is: the same password will have the same hash every time.
Quoting Bruce Schneier (an internationally renowned security technologist and author) who wrote in 2005: Don’t use SHA-1 for anything new, and start moving away from it as soon as possible. (http://www.schneier.com/blog/archives/2005/10/nist_hash_works_2.html)
I’m sure we’ll move to more advanced algorithms as they become available
There are more advanced algorithms available today. And they are already integrated into CodeIgniter: http://codeigniter.com/wiki/SimpleLoginSecure/