Use password_hash directly instead of password_hash(md5()) #17238
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
As discussed in #11962 (comment)
At the moment Matomo stores passwords as password_hash(md5($user_password)). While this isn't a huge issue, this also isn't ideal.
To avoid this one could create a migration that adds some version string to this hash and then modifies the code to allow logging in with this modified old hash. In addition a new method could be created that uses password_hash directory (with some other version string).
Finally every time a user logs in, the password hash could be migrated from the old to the new method using the users password directly. (quite similar to the current setup with password_needs_rehash)
The text was updated successfully, but these errors were encountered: