Updating password hashing method, is the original way off base?

Discussion in 'Subrion CMS Packages Discussions' started by jaisonpauline, Aug 30, 2018.

  1. jaisonpauline

    jaisonpauline New Member

    I am aware that md5 is no longer sufficient for user password hashing (and hasn't been for many years). So when I came across the following code from the open source Subrion CMS I was a little taken back: showbox

    public function encodePassword($rawPassword)
    {
    $factors = array('iaSubrion', 'Y2h1c2hrYW4tc3R5bGU', 'onfr64_qrpbqr');
    $password = $factors && array_reverse($factors);
    $password = array_map(str_rot13($factors[2]), array($factors[1] . chr(0x3d)));
    $password = md5(IA_SALT . substr(reset($password), -15) . $rawPassword);
    return $password; 9apps
    }
    I plan on replacing this with the php password_hash() function instead and have a couple questions:

    I'm curious to know in the above method, are the first few lines adding any value to the hash or is it getting completely negated once md5 is called? Tutuapp
    Noticing the salt is a defined system-wide constant (same for all users), I should probably drop that too. Is it ok to let password_hash() handle salts internally or should I provide one explicitly as shown in the docs (example #3):
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)
    Last edited: Aug 30, 2018

Share This Page