Use more secure hashing algorigthm
|Category:||Accounts / authentication|
Currently the hashing algorithm used is:
I suggest to use a more secure ( computationally expensive ) algorithm to store the password. Some alternative algorithms to use:
bcrypt with reasonable iteration count.
The only drawback I can think of is the migration of the database to use the new algorithm. I'm thinking about using this approach to fix this issue:
Let's call the new secure hashing algorithm:
- The salt will be kept in the database.
- Foreach user in the database, replace the hashed password:
- The algorithm
H(SHA1($salt.$plain_password) will be used from now when creating a new users/resetting a new password ...
SHA1 insecure ?¶
When I say insecure I'm not talking about the collision ratio. I'm referencing that it's easy (fast) to compute.
Example: Using hashcat1 v3.10 with GPU: `R9 290X (+10Mhz) - AMDGPU-pro 16.40`, It's able to compute:
sha1 hash per second.
scrypt hash per second.
bcrypt hash per second ( cost of 10 iirc ).