From 5e347e4efaa81c2108256dc927208cd55dc10baa Mon Sep 17 00:00:00 2001 From: Laria Carolin Chabowski Date: Fri, 25 Sep 2020 23:09:31 +0200 Subject: Use password_hash() and friends to hash and verify passwords Previously I rolled my own password hashing function. While it at least used some sort of salt, it's still a terrible idea. The newly created class PasswordHash wraps the password_hash() family of functions but can also check the old password hash format (to distinguish them, the new password hashes are prefixed with a '!'). In PasswordHash::needsRehash we then always report an hash of the old format as being in need of a rehash. That way, these old hashes will be replaced the next time the user successfully logs in. --- setup.php | 1 - 1 file changed, 1 deletion(-) (limited to 'setup.php') diff --git a/setup.php b/setup.php index f496dfe..47f2202 100644 --- a/setup.php +++ b/setup.php @@ -69,7 +69,6 @@ $files = [ "/ratatoeskr/sys/pluginpackage.php", "/ratatoeskr/sys/db.php", "/ratatoeskr/sys/utils.php", - "/ratatoeskr/sys/pwhash.php", "/ratatoeskr/sys/init_ste.php", "/ratatoeskr/sys/models.php", "/ratatoeskr/sys/textprocessors.php", -- cgit v1.2.3-70-g09d2