Re: we need to integrate new password algorhythm ASAP |
Subject: Re: we need to integrate new password algorhythm ASAP by Vaughan on 2008/3/11 16:47:57 the new password branch in svn uses 2 salts to hash the password with and then the final password +2salts is hashed using sha256. it's basicly (broken down)
$pass_plain = 'plaintext_password';
$pass_salt = $userSalt.md5($pass_plain).$mainSalt;
$final_hash = sha256($pass_salt);
that's a very basic description. each of the salts is 64 characters long they are added to the pass_plain which is md5 before adding the salts. then sha256 the result. basicly sha256 is now hashing a 160 character password. i don't think that can easily be bruteforced or decrypted. lol |