[Changed] Time to say goodbye to MD5
Posted: Sun Jan 09, 2022 4:13 am
Previously nuBuilder had used MD5 to hash passwords. Since MD5 is a hash function that is weak and no longer considered cryptographically secure, nuBuilder's default way to store passwords is now by using PHP's password_hash() function that generates a secure hash of your password.
How are the password hashes converted to the new standard?
When a user logs in and nuBuilder discovers that the password is still in the database as an MD5 hash, nuBuilder will replace the MD5 password hash in the database with a new hash that is generated with password_hash()
To check which passwords in the database have already been converted, you can run this query:
(or use the NOT LIKE to get a list of MD5 hashed passwords)
How are the password hashes converted to the new standard?
When a user logs in and nuBuilder discovers that the password is still in the database as an MD5 hash, nuBuilder will replace the MD5 password hash in the database with a new hash that is generated with password_hash()
To check which passwords in the database have already been converted, you can run this query:
Code: Select all
SELECT * FROM `zzzzsys_user` WHERE `sus_login_password` LIKE '%$2y$';