Loui Chang wrote:
Thank you for your suggestions. These are things that are best discussed on the aur-dev mailing list.
Seems like you've put some thought into this. Why don't you submit a patch?
Thanks for your support. Here goes an attempt. I have mixed my suggestions with Denis idea of changing the hash algorithm at the same time plus a few bits I found on the way. Actions performed by this patch: salt to be NULL, in which case it is treated as md5 hashed password. *All entries can be automatically updated by a -to be written- script. *Removes add salt on login code, per above. *Salted passwords now use sha512 instead of md5. *Adds requirement on hash extension (usually bundled as static). *try_login() only performs one query to verify user login instead of 5. *generate_salt now uses mt_rand() *Reject passwords given by GET.