[aur-dev] FS#17109: AUR passwords are not salted

Linas linas_fi at ymail.com
Fri Jun 25 12:11:23 EDT 2010


Denis Kobozev wrote:
> Here's a patch with a script to salt passwords in the database. It
> assumes that there already a Salt field in the Users table. Hopefully
> it will integrated with Linas's patches.
>
> Linas, I think salted_hash() should not call md5() internally,
> otherwise it's not very useful to the script. You can take a look at
> the patch if I'm being ambiguous.
>
> Best,
> Denis.
>   

My idea was to simply replicate the salted_hash() code in the script when
writing it.
Note that your patch is not incremental to mine, although it's another way
to perform a scripty change. The functions changed are the previous ones,
and I also took advantage of the opportunity of adding password salting for
updating the hash to sha512.

The query in addsalt() function should have a WHERE Salt IS NULL. That's 
nicer than checking it in php.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the aur-dev mailing list