@tw-mk opened this Issue on March 9th 2022

updateUserFields method in Model.php updated the user password in to DB by using MD5 encryption, SonarQube rises a security hotspot on this with the message Make sure this weak hash algorithm is not used in a sensitive context here.

Suggested fix from SonarQube,
Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it's even better to use algorithms that do not compute too "quickly", like bcrypt, scrypt, argon2 or pbkdf2 because it slows down brute force attacks.

@sgiehl commented on March 9th 2022 Member

Hi @tw-mk. Thanks for creating this issue. Actually only the token_auth should be created using md5. But in the database the token_auth as well as the password should be stored using sha512

This Issue was closed on June 3rd 2022
Powered by GitHub Issue Mirror