@Findus23 opened this Issue on February 19th 2021 Member

As discussed in https://github.com/matomo-org/matomo/issues/11962#issuecomment-782231136

At the moment Matomo stores passwords as password_hash(md5($user_password)). While this isn't a huge issue, this also isn't ideal.

To avoid this one could create a migration that adds some version string to this hash and then modifies the code to allow logging in with this modified old hash. In addition a new method could be created that uses password_hash directory (with some other version string).
Finally every time a user logs in, the password hash could be migrated from the old to the new method using the users password directly. (quite similar to the current setup with password_needs_rehash)

Powered by GitHub Issue Mirror