Use a safe password hashing mechanism
The current AccountFactory uses the
generateSaltedMd5 method of the
HashService. Since MD5 is considered to be not safe, we should switch to either sha1 or another method for password hashing (e.g. also use an hmac).
[!!!][FEATURE] Implement a safe password hashing mechanism using PBKDF2
This change implements a configurable password hashing strategy for
the hash service and a PBKDF2 based password hashing strategy which
generates strong hashed passwords and uses multiple iterations for
To use the old salted MD5 hashing, the password hashing strategy
may be replaced in the Objects.yaml.
#1 Updated by Christopher Hlubek about 9 years ago
I would suppose to use a standardized and proven way of creating password hashes for storage: see http://en.wikipedia.org/wiki/PBKDF2 and http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard
With a decent iteration count (> 10,000) it should be considered safe for now.