[Act-dev] a few ideas for legacy Act
Alex Muntada
alexm at alexm.org
Sat Oct 3 16:16:20 CEST 2015
Philippe Bruhat (BooK):
> My memories from the Act hackathon of 2014 is that a bigger security
> issue is the hash we use for storing the password information. It is
> not very strong. One participant had a proposal for fixing that, but
> I don't remember what happened with it.
I added support for bcrypt with backwards compatibilty for old
MD5 digests. I have tested it in my vagrant box and it works:
https://github.com/book/Act/pull/63
With this PR password will be rehashed when changed. Later, it
should be easy to add the logic to enforce password rehashing
after login if you want.
However, all this doesn't matter until password is sent through
a secure channel.
Cheers,
Alex
More information about the Act-dev
mailing list