Development

#6735 (Salt and password order in hash computation)

You must first sign up to be able to contribute.

Ticket #6735 (closed enhancement: wontfix)

Opened 7 months ago

Last modified 2 months ago

Salt and password order in hash computation

Reported by: k3nt1 Assigned to: Jonathan.Wage
Priority: minor Milestone: plugins
Component: sfDoctrineGuardPlugin Version:
Keywords: sfDoctrineGuardPlugin, Salt, SSHA, SHA1, Hash Cc:
Qualification: Unreviewed

Description

The current implementation of the setPassword() method append the password to the salt and use this string in the call to the hash function.

Line 43 of PluginsfGuardUser.class.php: 

parent::_set('password', call_user_func_array($algorithm, array($salt.$password)));

If I'm not wrong, most standard way of computing salted hash for passwords (SSHA for instance) require the concatenation to be performed the other way around (i.e. $password.$salt).

I know that it would break a lot of things to change this now. But would it be possible to add the possibility to change this order (by way of a config value for instance) so that integration with other products would be possible?

Change History

07/03/09 09:45:23 changed by k3nt1

Some more precisions:

I managed to reproduce a standard SSHA hash, but I must use the binary form of the hex encoded salt.

So I think that the most generic way would be to pass the password and salt as two separated arguments.

I can maybe produce a patch for it if you think that this would be usefull.

KR.

11/30/09 23:11:20 changed by Jonathan.Wage

  • status changed from new to closed.
  • resolution set to wontfix.

The Sensio Labs Network

Since 1998, Sensio Labs has been promoting the Open-Source software movement by providing quality web application development, training, consulting.
Sensio Labs also supports several large Open-Source projects.

Open-Source Products

Services

> More