[aur-dev] FS#17109: AUR passwords are not salted

Loui Chang louipc.ist at gmail.com
Wed May 26 08:43:14 EDT 2010


On Mon 19 Apr 2010 15:39 +0200, Linas wrote:
> Loui Chang wrote:
> 
> > Thank you for your suggestions. These are things that are best discussed
> > on the aur-dev mailing list.
> >
> > Seems like you've put some thought into this. Why don't you submit a
> > patch?
> >   
> 
> Thanks for your support. Here goes an attempt.
> I have mixed my suggestions with Denis idea of changing the hash algorithm
> at the same time plus a few bits I found on the way.
> 
> Actions performed by this patch:
> salt to be NULL, in which case it is treated as md5 hashed password.
> *All entries can be automatically updated by a -to be written- script.
> *Removes add salt on login code, per above.
> *Salted passwords now use sha512 instead of md5.
> *Adds requirement on hash extension (usually bundled as static).
> *try_login() only performs one query to verify user login instead of 5.
> *generate_salt now uses mt_rand()
> *Reject passwords given by GET.

Sorry for the late response.
Ideally each of these actions should be a separate patch.

That would enable changes that are straightforward to be applied
quickly, while the other changes might still need review.
The -to be written- script also needs to be included for the change to
be complete.

Cheers.


More information about the aur-dev mailing list