|
|
|
|
|
|
by huxley
5103 days ago
|
|
|
Do you happen to know what the new version of aMember uses for password hashing? I saw some mentions of MD5 in forums and some handwaving about how other scripts use custom password security, but nothing definitive. We looked at aMember for a project several years ago, before we switched to Django for all our development so I haven't kept up on what is available security-wise on PHP. |
|
|
4.1.3 release: http://www.amember.com/forum/threads/amember-pro-version-4-1... states "Removed user.pass variable from email templates. Plain text password in not available anymore."
4.1.6 release: http://www.amember.com/forum/threads/amember-pro-version-4-1... states "Closes #448 - and do not save md5 passwords at all".
User issue: http://www.amember.com/forum/threads/urgent-amember-v4-1-12-... "Unfortunately, in the email received by customers, the password comes out encrypted like $P$BkTNDykCkTfsOqHwsV4TT2/"
The hash format indicates it's using PHPass: http://cvsweb.openwall.com/cgi/cvsweb.cgi/projects/phpass/Pa... which is based on MD5, but with the log of the number of rounds indicated by the first character after the $P$ prefix. In the forum example, it's "B" which is 11 making it 2^11 rounds. The remainder is an 8 character salt plus checksum. PHPass is authored by "Solar Designer" or Alexander Peslyak, also the author of John the Ripper and respected in the security community: http://en.wikipedia.org/wiki/Alexander_Peslyak so is likely pretty solid.