16 Apr
2021
16 Apr
'21
7 p.m.
Am 16.04.21 um 20:31 schrieb Justin Capella via arch-general:
Can't help but think that if there is a length limit to a password it is plaintext in the database.
Good catch, but no: https://github.com/Flyspray/flyspray/blob/master/scripts/authenticate.php
Latest commit 1528f9d on 2 Sep 2019
# upgrade from unsalted md5 or unsalted sha1 or unsalted sha512 to better if($conf['general']['passwdcrypt']=='argon2i'){ $newhash=password_hash($password, PASSWORD_ARGON2I); }else{ $cryptoptions=array('cost'=>12); $newhash=password_hash($password, PASSWORD_BCRYPT, $cryptoptions); } # save the new hash $db->query("UPDATE {users} SET user_pass=? WHERE user_id=?", array($newhash, $user_id));