Bug when hash a password about bonobo-git-server HOT 6 CLOSED

With this change all the existing passwords would become obsolete. So maybe a better approach would be encorporating validation for ASCII chars for password input. What do you think?

from bonobo-git-server.

Of course I have a ideal.
In User table add a field as password version,

• version 0, mean old password algorithm
• version 1, mean new password algorithm
• continue if next algorithm going on

We can switch to a appropriate algorithm to identify. If password is not the last version when identify password, we can update it to the last version.
And we can deny a obsoleted password only if user update his password.

PS: the worst is System.Text.Encoding.ASCII.GetString(data); in your code.

from bonobo-git-server.

Basicaly MD5 is not a very good way of encrypting passwords anymore. I would go with different version of an algorithm. I would also prefer not doing database changes.

from bonobo-git-server.

You can choose any hash algorithm if you want, md5, sha1, sha256,,,
Best way to compute a hash value is insert salt into password. e.g, hash(salt + password)

After all, it is a security question. normally, an MD5 or SHA-1 is enough.

from bonobo-git-server.

I don't disagree with you. It's a bug but I am not sure about it's priority. It affects only users with non-ASCII passwords and simple warning not to enter characters beyond this encoding would be much simplier and effective solution for the needs of Bonobo Git Server with consideration of the backward compatibility and database structure.

from bonobo-git-server.

Your are right. Compatibility is important. But I would like do my best if we can.

In my fork, I want rewrite this part. :-)

from bonobo-git-server.