@natejgardner opened this Issue on August 16th 2017

I was just browsing the Piwik FAQ on resetting passwords when I noticed Piwik uses MD5. MD5 is quite vulnerable... Could you please hash passwords using a secure algorithm like Scrypt? See this StackExchange post for details.

@Findus23 commented on August 16th 2017 Member

What FAQ entry are you referring to?
This one (https://piwik.org/faq/how-to/faq_191/) mentiones that the password is stored with the new and secure password_hash function (which uses `crypt) since Piwik 3.0.

echo password_hash(md5("changeMe"), PASSWORD_DEFAULT)

I am not sure why the md5-hash is calculated before as it seems useless, but this shouldn't lower the security.

@natejgardner commented on August 16th 2017

That makes sense, thanks!

This Issue was closed on August 16th 2017
Powered by GitHub Issue Mirror