TB Login security / MD5 hash - user

[Cassim]

Hallo.

We have been running over the security of ThirtyBees. And we did see as many of you know, PS1.6/TB are running on a very old MD5Hash solution for its passwords. And thats simply not good. 

We have been looking into what to do about this, and what we have found and the only thing we seems to find, is that we need to recode all of the password section or use a other auth system. 

Here we have been looking into firebase Authentication, its the same that Prestashop uses for their addons. I seem to have found some kind of "code" for it : https://github.com/PrestaShop/firebaseauthenticator

We have found a few other services like the auth0.com and others but no native module for PS/TB.

What do you other do.?
Is their a plan for TB to create a better system.? 

[datakick]

tb is not using md5 for oassword hashing. It is using password_hash function instead, that's quite secure solution.

If you have migrated from ps16 some of the accounts might still be using md5, but after first login their password will be automatically rehashed using password_hash function.

[Cassim]

Do you have 

15 hours ago, datakick said:

password_hash

Is this in family with : bcrypt or where are we around with the safty ? 

Or is their used any kind of "salt" and/or algorithm ? 

 

[datakick]

2 minutes ago, Cassim said:

Do you have 

Is this in family with : bcrypt or where are we around with the safty ? 

Or is their used any kind of "salt" and/or algorithm ? 

 

https://www.php.net/manual/en/function.password-hash.php

Currently, it uses bcrypt by default. In the future php versions this might change, of course. 

[Cassim]

#love @datakick

 

Thanks for this return.