User Password Salt is Constant #12
Comments
|
Would it be good for people using it to change their salt? |
|
Yes. Changing the SM_SALT variable in ini.php would at least make your site have different hashes from another sourcebans website. However it still means that any two users that have the same password will still have the same hash for their hashed password. It should instead create a new salt for every single user and store that salt in the user database. That would make two users that have the same password end up with different hashes that are stored in the database. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just noticed that in the ini.php on line 93 there is a static value for the salt of all the passwords. Since this project is open source, that essentially means that the salt is now irrelevant since its constant for any user.
Generating a random salt and storing it in the database, even if its just generated once during the site installation is vastly more secure than storing it as a static variable in ini.php. Ideally it should be generated for every user and then stored in the user table.
I wish I had time to fix this myself but I'm quite busy at the moment and wanted to point it out at least.
The text was updated successfully, but these errors were encountered: