Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updateUserFields in Model.php save password with MD5 Weak encryption #18904

Closed
tw-mk opened this issue Mar 9, 2022 · 1 comment
Closed

updateUserFields in Model.php save password with MD5 Weak encryption #18904

tw-mk opened this issue Mar 9, 2022 · 1 comment
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@tw-mk
Copy link

tw-mk commented Mar 9, 2022

updateUserFields method in Model.php updated the user password in to DB by using MD5 encryption, SonarQube rises a security hotspot on this with the message Make sure this weak hash algorithm is not used in a sensitive context here.

Suggested fix from SonarQube,
Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it's even better to use algorithms that do not compute too "quickly", like bcrypt, scrypt, argon2 or pbkdf2 because it slows down brute force attacks.
@sgiehl
Copy link
Member

sgiehl commented Mar 9, 2022

Hi @tw-mk. Thanks for creating this issue. Actually only the token_auth should be created using md5. But in the database the token_auth as well as the password should be stored using sha512

@sgiehl sgiehl closed this as completed Jun 3, 2022
@sgiehl sgiehl added the answered For when a question was asked and we referred to forum or answered it. label Jun 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sgiehl @tw-mk