[aur-dev] FS#17109: AUR passwords are not salted
Linas
linas_fi at ymail.com
Mon Apr 19 03:49:25 EDT 2010
Loui Chang wrote:
> Thank you for your suggestions. These are things that are best discussed
> on the aur-dev mailing list.
>
> Seems like you've put some thought into this. Why don't you submit a
> patch?
>
Thanks for your support. Here goes an attempt.
I have mixed my suggestions with Denis idea of changing the hash algorithm
at the same time plus a few bits I found on the way.
Actions performed by this patch:
salt to be NULL, in which case it is treated as md5 hashed password.
*All entries can be automatically updated by a -to be written- script.
*Removes add salt on login code, per above.
*Salted passwords now use sha512 instead of md5.
*Adds requirement on hash extension (usually bundled as static).
*try_login() only performs one query to verify user login instead of 5.
*generate_salt now uses mt_rand()
*Reject passwords given by GET.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aur-password-salting.patch
Type: text/x-patch
Size: 6017 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-dev/attachments/20100419/6471c4aa/attachment.bin>
More information about the aur-dev
mailing list