Patch for using password_hash instead of sha1

[araviski]

Script URL: ###
Version of script: 2.7.5
Hosting company: ###
URL of phpinfo.php: ###
URL of session_test.php: ###
What terms did you try when SEARCHING for a solution: sha1 password_hash

Write your message below:

Here is a proposal patch for using password_hash function instead of SHA1. Even if SHA1 with salt might be secure enough, some security guidelines recommend to move on. So I do

Code: Select all

Index: admin_functions.inc.php
===================================================================
--- admin_functions.inc.php	(revision 275)
+++ admin_functions.inc.php	(working copy)
@@ -708,14 +708,7 @@
 
 
 function hesk_Pass2Hash($plaintext) {
-    $majorsalt  = '';
-    $len = strlen($plaintext);
-    for ($i=0;$i<$len;$i++)
-    {
-        $majorsalt .= sha1(substr($plaintext,$i,1));
-    }
-    $corehash = sha1($majorsalt);
-    return $corehash;
+    return password_hash($plaintext, PASSWORD_BCRYPT);
 } // END hesk_Pass2Hash()
 
 

Existing users will have to reset their passwords.

[Klemen]

Thanks for sharing. Hesk will eventually be moved to password_hash, but I am trying to keep PHP 5.3 compatibility alive (at least for the 2.x.x series).