-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hash passwords better #330
Comments
Realistically, I think we'll need two, side-by-side password systems. New accounts use the new one. Anybody logging into a legacy account will, invisibly, have their password re-hashed and stored in the new system, and then have their old password wiped. After ~14 months, I think then it's time to zero out any legacy passwords — at that point, those folks can just use the "forgot my password" link to get into their accounts. |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All passwords are hashed with
md5()
, which is not appropriate in 2019. It was barely appropriate in 2006 (when the code was written). PHP has native password functionality — use that.The text was updated successfully, but these errors were encountered: